Sanitizing input

[Azu]

Right now I sanitize input to protect against XSS

 

It makes it so that you cannot search for usernames with high ascii though

 

Such as Þ and ® and Î

 

Is there a way I can make it so high ascii can be used? Without removing protection against XSS?

 

 

Right now I am using htmlentities(stripslashes($value),ENT_QUOTES)

[obsidian]

XSS is only a danger when you are actually outputting the user input to the screen in some way. You should be able to run your query before you ever filter with htmlentities(). I would say a basic way (not entirely complete) would be to simply run your input through strip_tags() to get rid of HTML and then through mysql_real_escape_string() to filter against SQL injection. Then, run your search, and if you are outputting the search to the screen, you can use htmlentities() on it then.

[Azu]

Usernames can have high ascii in them. Usernames need to show up right and you should be able to click on them to do a search on that username and find more info. So it needs to be right in the html or else the url it takes you to will be wrong.. and also I like it to show up right.

 

Is there a way that I can sanitize data for putting it into html without messing up high ascii?? I only want to sanitize it for html I have a different function that I use for mysql queries.

 

So if there is a name called TÎmmy it should show up right and when you click it it should bring you to site.com/?user=TÎmmy and should display that name. It will be sanitized for mysql to run the query but mysql sanitizing is different then for html...

 

Sorry if I am not making sense but I am sleepy and my keyboard is acting weird =/

[per1os]

just use this:

 

$content = str_replace('<', '<', $content);

 

This will make sure all html tags are displayed and not executed.