Jump to content

[SOLVED] protecting against XSS


scarhand

Recommended Posts

im trying to make it so people can post messages with greater and less than symbols  but no matter what i do i leave myself vulnerable to cross site scripting

 

here is my code (which ive changed several times already):

 

the insert into code with cleanup:

 

<?php

$name = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['name'])));
$message = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['message'])));

mysql_query("INSERT into shouts (name, message) VALUES ('$name', '$message')");

?>

 

and here is my code that fetches it (which is completely vulnerable still)

 

<?php

function unhtmlspecialchars($string)
{
  return str_replace(array('<', '>', '"', '&'), array('<', '>', '"', '&'), $string);
}

$name = unhtmlspecialchars($name);
$message = unhtmlspecialchars($message);

?>

 

any help would be greatly appreciated

Link to comment
https://forums.phpfreaks.com/topic/75275-solved-protecting-against-xss/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.