Output escaping on arrays to protect against xss

Question

I need to write a report on ways to protect against SQL injection and XSS and what ways the security in a website I created could be improved.

On my website I used jquery's jTable to display data from a MySQL database.

Inputs for new entries into the db are sanitised using mysql_real_escape_string:

$fieldName = mysql_real_escape_string($_POST["fieldName"]);

(although in my report I have suggested that using prepared satements is a better option and why)

Outputs are displayed using:

print json_encode($jTableResult);

When testing my website I realised that although I had made it harder for SQL injection I could still save HTML and javascript code into the db which would then execute when displayed to the browser. As I didnt know how to solve this I just added the strip_tags function on user inputs:

$fieldName = mysql_real_escape_string(strip_tags($_POST["fieldName"]));

Now that I need to produce this report I want to state the correct way this should have been done and what I could of improved.

So my question... How do you escape outputs in arrays?

Hope this makes sense

Answer 1

You can use htmlspecialchars to output html as plain text: http://www.w3schools.com/php/func_string_htmlspecialchars.asp

strip_tags removes the tags, unless you specify specific tags that can be shown in the output.

Mysql_real_escape_string is used to escape characters for SQL input.. http://www.w3schools.com/php/func_mysql_real_escape_string.asp

However, have a look into Mysqli or PDO and prepared statements to enhance your security. Mysql is depricated.