Reputation: 2815
Prevent HTML data from being posted into form textboxes
I'm making a web application using PHP in where I have a form that makes entries into a MySQL database and later displays it on another webpage. But the problem is that the text boxes in the form tend to accept HTML content making the application vulnerable to XSS hacks. How do I convert HTML to plain text before I display it in the webpage.
Please feel free to ask questions in case I lack providing any information.
---------------------------------------(UPDATE)----------------------------------------
Many of you fellow mates have suggested the use of htmlspecialchars but in that case, if I were to allow user to refer to other pages using hyperlinks, how do I do that?
Upvotes: 1
Views: 1524
Answers (3)
Reputation: 3172
htmlspecialchars is one to to prevent xss
strip_tags also strips out PHP tags
also make sure to use mysqli_real_escape_string or the like to prevent SQL injection
UPDATE in response to your update, the simplest way to do that would be to use one of the many markdown syntaxes ala Daring Fireball. Since the markdown syntax are not HTML/PHP tags, it should pass through the PHP functions without problem, but I have never implemented this myself, so YMMV.
Upvotes: 1
Reputation: 1343
htmlspecialchars is one of your friends for that, you may also want to replace utf8, hexencoded or entitified version of < to avoid obfuscated script to get through.
Upvotes: 2
Related Questions
- User inputs, clean and sanitize before sending to db
- Form Input Validation using HTML enough to be secure?
- Sanitizing and validating form php
- Sanitize user input if input has html
- Don't submit existing values in MYSQL database using JavaScript
- Website Form Validation
- Protecting my html forms from injection
- Prohibit the posting of HTML in textarea form field
- Form Validation PHP / Avoiding injections
- PHP prevent HTML in form text field?