CODEWITHSUNDEEP
phphtml
Black Sun Phoenix Entertainmen
Black Sun Phoenix Entertainmen

Reputation: 95

Using htmlspecialchars and strip_tags for more security

I am coding my own simple forum. The forum doesn't have a lot of options like emoticons, post a code, post a picture, post a video. The users are able to put only text as a post.

Some people gave me advice to use HTML Purifier, but I don't see the point. I believe this purifier is for websites which input has the options above (Post video, picture, code .. etc). My post contains only text. I am asking for some advice here. Are the htmlspecialchars and strip_tags enough for securing my website? Here is my code.

    // Removing the tags
    $post = strip_tags($post);
    // This encoding is made in order to prevent the user from making XSS attacks.
    // Encoding the user's post...
    $post = htmlspecialchars($post);

In my opinion, this seems pointless, but since I am not experienced I had to ask for advice. First I remove the tags, and then I encode the post the tags are already removed so there is nothing to encode). I have done it that way because I get crazy over my website's security.

My hands are always shaking because in my mind there is always doubt that there is some field left vulnerable. I still have doubts in my mind that even after using those two PHP commands I am still vulnerable to XSS. I am doing server side check for the post's length in case the user edited the maximum/minimum allowed length that he can put in his post.

I am using prepared statements, I am removing the tags, I am encoding the post for additional security.. and I still feel like there is a hole that needs to be filled. If there is someone very experienced in PHP, please give me advice if there is something more that I need to do, or if using those 2 commands at once is pointless.

Upvotes: 0

Views: 649

Answers (2)

vinayak shahdeo
vinayak shahdeo

Reputation: 1488

As @BlackSun asked what to do for PDO. Here is another version

   // where $db is your PDO connection
$stmt = $db->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND 
animal_name = :animal_name");

/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);

/*** execute the prepared statement ***/
$stmt->execute();

or you can refer here

Upvotes: 0

vinayak shahdeo
vinayak shahdeo

Reputation: 1488

I would recommend using the code in backend for php. Something like this

mysqli_real_escape_string($con, $_POST['variable']). This is a better practice.

Upvotes: 4

Related Questions