Menu
Community /Pin to ProfileBookmark
@NogDogNov 02.2005 — #You could use [url=http://www.php.net/htmlentities]htmlentities()[/url] when you output the data so that the html tags are not output as such.@NogDogNov 03.2005 — #Assume the name of the form field with the search value is called "search":
@NogDogNov 03.2005 — #Replace mysql_real_escape_string with addslashes() for non-mysql use.
The ini_get() expression is checking to see if "magic quotes" is turned on, which escapes all quotes from the form input. I was doing that to make sure the mysql_real_escape_string() (or addslashes) did not "double escape" quotes in the input.
validation
I have some forms that I need to make more secure. I’v found that if you put the below code into one of the form fields, it executes the script when the page loads again displaying this in the form field. How can I not allow this type of thing?
Javascript code that got executed;
‘;alert(‘XSS’)//”;alert(‘XSS’)//</SCRIPT>!–<SCRIPT>alert(‘XSS’)</SCRIPT>=%26{}
Thanks
Sign in
to post a comment6 Comments(s) ↴
0
@NogDogNov 02.2005 — #You could use 0
@NogDogNov 03.2005 — #Assume the name of the form field with the search value is called "search":[code=php]
$search = $_POST['search'];
if(ini_get("magic_quotes_gpc"))
{
$search = stripslashes($search);
}
$search = mysql_real_escape_string($search);
# now $search is ready for use in a query.
[/code]0
@NogDogNov 03.2005 — #The ini_get() expression is checking to see if "magic quotes" is turned on, which escapes all quotes from the form input. I was doing that to make sure the mysql_real_escape_string() (or addslashes) did not "double escape" quotes in the input.