Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have one problem regarding the data insertion in PHP.
In my site there is a message system.
So when my inbox loads it gives one JavaScript alert.
I have searched a lot in my site and finally I found that someone have send me a message with the text below.
<script>
alert(5)
</script>
So how can I restrict the script code being inserted in my database?
I am running on PHP.
You should use
strip_tags.If you still want to allow some HTML, then add a whitelist in the second parameter.I should add a really big caveat here. If you’re leaving any tags in a strip_tags whitelist, you can still be susceptible to javascript injection. Assume you’re allowing the seemingly innocuous tags
<strong>and<em>:You have a couple of serious options:
strip_tagswith no whitelist. Safe, but doesn’t allow for any formatting, and may cause problems with strings like this:"x<y, but y>4" --> "x4"htmlentities. Use this when displaying the data on the screen (not on the data before you put it in the database). It’s safe, but doesn’t allow for formatting.