I need to send a message from a Flash contact form to PHP. Do I need to encode characters like ‘ ” < > & because of possible XSS attacks or something else?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need to send a message from a Flash contact form to PHP. Do I need to encode characters like ‘ ” < > & because of possible XSS attacks or something else?
Yes but not because of XSS for your case. You don’t want to interfere your db query string which is using single or double quotes. Within PHP, escape your $_POST or $_GET vars with this
If your outputting this data on an HTML page, do this on the output page
You may optionally do the above script before you insert it into the database too