help needed for preventing html injection_问答_开发者

help needed for preventing html injection

开发者 https://www.devze.com 2023-03-24 17:08 出处：网络

i have searched everywhere for knowing how to prevent html injection.i have also put two questions in this website.buti didnt got a convincing answer.below this, i am giving my script which i made for

相关专题：php

i have searched everywhere for knowing how to prevent html injection.i have also put two questions in this website.but i didnt got a convincing answer.below this, i am giving my script which i made for preventing mysql,html injection in my html form.

     //sql injection prevention
      $name =mysql_real_escape_string($_POST['name']);
    $logi开发者_运维知识库n = mysql_real_escape_string($_POST['login']);
     $user = mysql_real_escape_string($_POST['user']);

 //striping tags
   $user =strip_tags($user);
  $login = strip_tags($login);
   $name =strip_tags($name);

after this i tried to check how well my script is working by using the below script and putting it in name,login,user form in my html and saving it in my database

 <script>
 document.location = "http://badurl";
</script>

but when i saved the above script in database and tried to retrieve it for showing in page it went to the badurl site.i think strip_tags is not working i want to know why. and can you please tell me how we can put htmlspecialchars in a while loop(like the script below)

   while ( $row = mysql_fetch_array($query) ) {
    echo('<big><big><big style="color: rgb(158, 0, 0);">' . $row['name'] .  '&nbsp;&nbsp;</big></big></big><p>');
   echo('<big><div style="text-align: justify;">' . $row['login'] . '&nbsp;&nbsp;</big>   </div>');

   echo('<div style="text-align: justify;">' . $row['user'] . '&nbsp;&nbsp;</div>');

You should use htmlspecialchars on the fields before printing them.

while ( $row = mysql_fetch_array($query) ) {
    echo('<big><big><big style="color: rgb(158, 0, 0);">' . htmlspecialchars($row['name']) .  '&nbsp;&nbsp;</big></big></big><p>');
   echo('<big><div style="text-align: justify;">' . htmlspecialchars($row['login']) . '&nbsp;&nbsp;</big>   </div>');

   echo('<div style="text-align: justify;">' . htmlspecialchars($row['user']) . '&nbsp;&nbsp;</div>');

See also: http://php.net/manual/en/function.htmlentities.php

I would suggest HTMLPurifier library instead of raw php functions.

If you want to remove all tags all together, then use strip_tags.

If you want to encode the tags then use htmlspecialchars or htmlentities.

If you want to selectively remove tags that might lead to an injection but allow other tags, then you might want to look into implementing a solution using domdocument.