Azu Posted March 15, 2007 Share Posted March 15, 2007 Right now I sanitize input to protect against XSS It makes it so that you cannot search for usernames with high ascii though Such as Þ and ® and Î Is there a way I can make it so high ascii can be used? Without removing protection against XSS? Right now I am using htmlentities(stripslashes($value),ENT_QUOTES) Quote Link to comment Share on other sites More sharing options...
obsidian Posted March 15, 2007 Share Posted March 15, 2007 XSS is only a danger when you are actually outputting the user input to the screen in some way. You should be able to run your query before you ever filter with htmlentities(). I would say a basic way (not entirely complete) would be to simply run your input through strip_tags() to get rid of HTML and then through mysql_real_escape_string() to filter against SQL injection. Then, run your search, and if you are outputting the search to the screen, you can use htmlentities() on it then. Quote Link to comment Share on other sites More sharing options...
Azu Posted March 15, 2007 Author Share Posted March 15, 2007 Usernames can have high ascii in them. Usernames need to show up right and you should be able to click on them to do a search on that username and find more info. So it needs to be right in the html or else the url it takes you to will be wrong.. and also I like it to show up right. Is there a way that I can sanitize data for putting it into html without messing up high ascii?? I only want to sanitize it for html I have a different function that I use for mysql queries. So if there is a name called TÎmmy it should show up right and when you click it it should bring you to site.com/?user=TÎmmy and should display that name. It will be sanitized for mysql to run the query but mysql sanitizing is different then for html... Sorry if I am not making sense but I am sleepy and my keyboard is acting weird =/ Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 just use this: $content = str_replace('<', '<', $content); This will make sure all html tags are displayed and not executed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.