scarhand Posted October 29, 2007 Share Posted October 29, 2007 im trying to make it so people can post messages with greater and less than symbols but no matter what i do i leave myself vulnerable to cross site scripting here is my code (which ive changed several times already): the insert into code with cleanup: <?php $name = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['name']))); $message = strip_tags(htmlspecialchars(mysql_real_escape_string($_POST['message']))); mysql_query("INSERT into shouts (name, message) VALUES ('$name', '$message')"); ?> and here is my code that fetches it (which is completely vulnerable still) <?php function unhtmlspecialchars($string) { return str_replace(array('<', '>', '"', '&'), array('<', '>', '"', '&'), $string); } $name = unhtmlspecialchars($name); $message = unhtmlspecialchars($message); ?> any help would be greatly appreciated Quote Link to comment Share on other sites More sharing options...
Daukan Posted October 29, 2007 Share Posted October 29, 2007 You don't have to strip tags if you use htmentities or htmlspecialchars. Leave it as htmlentities. If code is put in it will just be displayed as text and not parsed by the browser. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.