0

How would I keep javascript and php code from being entered into a form or saved to a database ? I'm still learning about client/server-side security and this seems to be an issue I need to resolve :p Could I do this on php side?

asked Jul 27, 2011 at 6:24

2 Answers 2

1

When you are inserting in a database with php, you can use the the strip_tags() function.

eg:

$query="INSERT INTO `DB` (`id`,`data`)
VALUES (".$id.",".mysql_real_escape_string(strip_tags($data)).");";
$mysql_query($query) or die(mysql_error().'<br/><pre>'.$query.'</pre>');//Debug only

The strip_tags function will strip all the html tags from the passed variable including the tag <script> so no JavaScript will be passed. http://php.net/manual/en/function.strip-tags.php

Edit:
Added the mysql_real_escape_string()

answered Jul 27, 2011 at 6:31
Sign up to request clarification or add additional context in comments.

7 Comments

If I were you, I would add mysql_real_escape_string before someone downvotes this. I've seen it happen to others.
can I strip specific tags? like only those with <script>
It had mysql_real_escap_string in it. But that is not the question. It's about stripping tags, passed by a form ... But well, i'll add it again ..
I've referred to this list several times to make sure I'm writing secure PHP code (as it's easy not to) - ibm.com/developerworks/opensource/library/os-php-secure-apps/…
Yes you can, but the other way around. Instead of stripping, tags you can allow them like so: $striped_data=strip_tags($data,'<a><br><p>'); This will allow only the tags, a,br and p to NOT be stripped
|
0

Blockquote Could I do this on php side?

You have to - never (ever!) trust incoming data or clientside security checks via Javascript. Javascript can secure some content and take some workload off your server, but it is useless when bypassed or deactivated.

Use the Internet Search Engine of your choice, look-up and learn more about SQL-injection / Cross Site Scripting (XSS).

answered Jul 27, 2011 at 6:36

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.