Am using my sanetize right

Question

I need to store data in a mysql table then output it to the user.

I am sanetizing "name" and "comment"

On name im using strip_tags and trim, then storing it with stmt prepare/bind_param.

And on "comment" im using nl2br/htmlspecialchars then storing it with stmt prepare/bind_param, since users must be able to hit enter/linebreak.

So is this enough to protect me against XSS/SQL-injections?

Thanks

So, do a search and find one that does. It's not hard to find. — Paul Dessert, Aug 05 '13 at 23:27

score -1 · Answer 1 · edited May 23 '17 at 11:50

-1

Moreover you are changing user input, I think it's better to show complete input (safely)

htmlentities($str, ENT_QUOTES, "UTF-8");

edited May 23 '17 at 11:50

Community

answered Aug 05 '13 at 23:25

kwarunek

Thanks, I will try that HTML Purifier mentioned in that post – user2654458 Aug 05 '13 at 23:33
strip tags is only vulnerable if used to filter, not to strip all. – Your Common Sense Aug 06 '13 at 05:14
using strip_tags only as in the question will break on many cases and it is not safe https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet. – kwarunek Aug 06 '13 at 06:51

1 Answers1