mikefrederick Posted February 24, 2008 Share Posted February 24, 2008 i understand what xss is and i have done it before and am looking on clarification on how to prevent it...should I never echo any $_GET variables in a page and instead put them in a mysql_query when possible or what? Quote Link to comment Share on other sites More sharing options...
tippy_102 Posted February 24, 2008 Share Posted February 24, 2008 You should never trust data that has been entered from an outside source. Clean everything, and you will be save. Don't enter anything into your database before sanitizing. You can echo the GET data, but clean it first. Quote Link to comment Share on other sites More sharing options...
Bauer418 Posted February 24, 2008 Share Posted February 24, 2008 You'll want to run htmlentities() before displaying external data, and mysql_real_escape_string() before entering it into a database. On top of that, you should be doing your own manual checks on data before letting it go through your site. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.