1

I have this comment box and every comment of the user I get the contents of the comment and insert it to database. But whenever there's some destructive user that will enter or alert('Hello World'); . It was detected and it creates abnormalities to the website. How can I prevent this issue? or how to ignore the function of that "TEXT" as a script. Thanks!

John Micah Fernandez Miguel
  • 524
  • 3
  • 12
  • 29
  • 1
    [`htmlspecialchars()`](http://php.net/manual/en/function.htmlspecialchars.php) before displaying it on the page. However now I'm really curious how you handle the updating of the database... – PeeHaa May 24 '12 at 19:09
  • 1
    possible duplicate of [PHP Sanitize Data](http://stackoverflow.com/questions/5863508/php-sanitize-data) – John Conde May 24 '12 at 19:10
  • 1
    You should never insert anything into a database without first filtering the untrusted user input. – honyovk May 24 '12 at 19:11
  • have you met little bobby tables. also try using onchange function to remove any script or html tags they try to put in your text box. – magicianiam May 24 '12 at 19:15
  • What does "using onchange function" mean? @magicianIam – PeeHaa May 24 '12 at 19:18
  • possible duplicate of [What's the best method for sanitizing user input with PHP?](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php) – Wesley Murch May 24 '12 at 19:18
  • 3
    @MBJ: That is a huge misconception (or perhaps just a little misleading depending on what you meant), you merely need to *escape* data heading towards the DB so it can be used in an SQL query without breaking syntax or injecting other queries. For XSS and the like, you should escape/filter/sanitize your *output*, not just the input as it comes in. Imagine you find a flaw in your sanitization routine, you would only be able to take advantage of fixing it if you filter *output*. Sure you can do both, but only one is necessary. – Wesley Murch May 24 '12 at 19:20
  • @WesleyMurch I am not talking about Cross Site Scripting, I am talking about SQL Injection. How would sanitizing the output of an SQL statement prevent injection? – honyovk May 24 '12 at 19:32
  • @MBJ: The OP is talking about XSS, not SQL injection - that's why I misunderstood you. This issue has nothing to do with SQL. – Wesley Murch May 24 '12 at 19:34
  • @WesleyMurch I am looking at my last comment and feel I was a bit hostile, sorry for that. Anyway, I only left my original comment because the OP mentioned 'insert it to database'. – honyovk May 24 '12 at 19:40
  • @MBJ: 90% of comments on this site sound angry and they probably aren't meant to be. It's all good, we're all here to learn and we're all passionate about our craft. It does stir my nerves when people say such broad things as "sanitize your data" with no regard to context. – Wesley Murch May 24 '12 at 19:46
  • Thank you so much for the comments. I already solved it ^__^ – John Micah Fernandez Miguel May 25 '12 at 06:50

1 Answers1

1

You have to make sure that the data you output is interpreted as pure text instead of being parsed into code. This is commonly called "data sanitation" or "data sanitization".
You have all the clues in your question's comments. Summary:

Community
  • 1
  • 1
Taz
  • 3,718
  • 2
  • 37
  • 59