dprichard Posted January 29, 2008 Share Posted January 29, 2008 Okay, I am just learning about cross site scripting and was trying to clear up some questions I have. When I have user submitted information and it is going into a database I have been using mysql_real_escape_string to stop sql injections. I have just recently learned about XSS and am trying to make sure I understand when and how to protect my sites and users from this. 1. When I insert data into a database do I need to just use mysql_real_escape_string or do I also need to filter the data for XSS input? 2. To filter for XSS is it okay to just use htmlspecialchars or do I need to use a special function as well. 3. I found this function at quickwired is this sufficient and if I use this should I not use htmlspecialchars or should I use both? http://quickwired.com/smallprojects/php_xss_filter_function.php Sorry if I sound like a noob, but I want to make sure I have just started hand coding everything versus using dreamweaver coding and want to make sure I handle this the right way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.