scarhand Posted October 29, 2007 Share Posted October 29, 2007 im trying to make it so people can post messages with greater and less than symbols but no matter what i do i leave myself vulnerable to cross site scripting here is my code (which ive changed several times already): the insert into code with cleanup: <?php $name = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['name']))); $message = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['message']))); mysql_query("INSERT into shouts (name, message) VALUES ('$name', '$message')"); ?> and here is my code that fetches it (which is completely vulnerable still) <?php function unhtmlspecialchars($string) { return str_replace(array('<', '>', '"', '&'), array('<', '>', '"', '&'), $string); } $name = unhtmlspecialchars($name); $message = unhtmlspecialchars($message); ?> any help would be greatly appreciated Link to comment https://forums.phpfreaks.com/topic/75275-solved-protecting-against-xss/ Share on other sites More sharing options...
Daukan Posted October 29, 2007 Share Posted October 29, 2007 You don't have to strip tags if you use htmentities or htmlspecialchars. Leave it as htmlentities. If code is put in it will just be displayed as text and not parsed by the browser. Link to comment https://forums.phpfreaks.com/topic/75275-solved-protecting-against-xss/#findComment-380737 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.