i have a form that posts to a database and i was testing code that prevents any javascript or othe client-side scripting from being submitted to the database.All javascript code i submitted ended up in the database, i figure this is bad.How can i prevent this?
rhodoscoder 0 Light Poster
Alibi Ghazi 0 Newbie Poster
The easiest solution is to create a verification test (in js) on the form .
decade 2 Junior Poster in Training
use the PHP code
strip_tags()
on your PHP page.
example:
$variablename = strip_tags($_POST['myvalue']);
cereal 1,524 Nearly a Senior Poster Featured Poster
Consider to use HTML Purifier in your application: http://htmlpurifier.org/
It will give you the ability to whitelist the tags that you want to allow and, most important, it will validate the attributes, removing the javascript included.
rhodoscoder 0 Light Poster
thank you@Alibi Ghazi, $decade and @cereal.@cereal I ran into html purifier but haven't tried it yet, i heard it slows down you app.
cereal 1,524 Nearly a Senior Poster Featured Poster
Yes, when you get heavy traffic it can slow down responses, but you have few options: http://htmlpurifier.org/docs/enduser-slow.html
Bye!
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.