[SOLVED] How to prevent this

[peranha]

Cross Site Scripting:

You can submit ">code when adding comments.

 

Cross Site Scripting:

You can submit ">code when creating a PM.

 

I am woundering how to prevent this from happening.

 

Here is my add comment page.

 

<?php
// open connection
$connection = mysql_connect($server, $user, $pass) or die ("Unable to connect!");

// select database
mysql_select_db($db) or die ("Unable to select database!");

// Escape strings, and make sure they are filled in
$subject = empty($_POST['subject']) ? die ("<b class=red>ERROR: Enter Subject</b>") : mysql_real_escape_string(strip_tags($_POST['subject']));
$comment = empty($_POST['post']) ? die ("<b class=red>ERROR: Enter a Comment</b>") : mysql_real_escape_string($_POST['post']);

// create query
$query = "INSERT INTO " . $pre . "comments (subject, comment, user, timestamp) VALUES ('$subject', '$comment', '$_SESSION[username]', '$stamp')";

// execute query
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());

// close connection
mysql_close($connection);
?>

[QuietWhistler]

I am not sure what you are asking? Do you want to prevent the users from using HTML in their comments/PMs? In that case, use the function: http://nl.php.net/manual/en/function.htmlspecialchars.php

[shocker-z]

if your just wanting to stop < and > then you could just do

 

$replace=array('<','>');

$with=array('','');

$var=str_replace($replace,$with,$var);

 

that's a simple way but may be other better ways to auto remove everything that could be a vunrability.

 

Regards

Liam

[wildteen88]

If you dont want to accept any html at all being posted by your forms then use the strip_tags function to strip html tags.