frank_solo Posted October 13, 2011 Share Posted October 13, 2011 I've been alerted that someone can attack my site using XSS. I have a search box on my site and I've tested it by simply writing "<script>alert('test')</script>" When I do this a pop-up box does come up displaying the word "Test" I have written a preg_replace previously but now I want to add something to it to prevent <script>. This was my original code $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', " $_POST['search'])); This is what I thought might work but no luck $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', "/<script[^>]*>.*<*script[^>]*>/i", $_POST['search'])); Could anyone please help and tell me how to modify the code to prevent javascript? Thanks Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted October 13, 2011 Share Posted October 13, 2011 preg_replace("/\<(script).*\>.*\<\/(script)\>/isU", " ", $data); Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted October 13, 2011 Share Posted October 13, 2011 Or, you could use htmlentities to replace tags with their entity counterparts. The script text (i.e., <script>blahblahblah</script>) would appear on your screen as text, rather than execute. Quote Link to comment Share on other sites More sharing options...
frank_solo Posted October 13, 2011 Author Share Posted October 13, 2011 Thank you so much "The Little Guy" it worked like a charm. Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted October 13, 2011 Share Posted October 13, 2011 Please mark topic as solved. Thanks (: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.