Reputation: 455
remove post html, js, css on insert into mysql
When I post html, js, css tag, rule, syntax's on text input. it show's up on page result!
I user $conn->real_escape_string and mysqli prepared statement but still not secure for me.
my code is:
<?php
require 'config/config.php';
mysqli_set_charset($conn,"utf8");
$qmsg = $_POST["qsmsg"];
$qmsgs = mysqli_real_escape_string($conn, $qmsg);
$ansr = "Answer";
$userName = "John";
$userId="4";
$userType="user";
$imgsp="images/avatar.jpg";
$stmt = $conn->prepare("INSERT INTO qa (qus, ansrq, uname, uid, utype, uimage) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssiss", $qmsgs, $ansr, $userName, $userId, $userType, $imgsp);
...
$stmt->close();
$conn->close();
?>
Result on my page:
Upvotes: 3
Views: 105
Answers (1)
Reputation: 211610
This is an XSS problem, not a database or CSS problem.
The quick answer is you must call htmlspecialchars on any user data that you're displaying in an HTML context. That will neutralize any HTML a user's introduced either deliberately or by accident.
The long answer is people like to be able to put in some formatting, so consider using something like Markdown so you can type things like *bold* and _italic_ and not have to write actual HTML. There are many, many PHP implementations of this readily available.
Upvotes: 4
Related Questions
- Insert html content to mysql table
- SQL INSERT from HTML Input with checking for already existing
- How to ignore empty input when saving to database
- How to insert data in database without html form tag
- Removing html, javascript etc from POST
- Don't insert to MySQL with php
- change php and mysql insert to mysql only
- php strip html tags and it's data and insert into mysql
- Inserting HTML into database
- help needed for preventing html injection