1

Problem i have a textbox <input type="text" name="message" placeholder="message"> what I want is to avoid css inputs and scripts. cause when i type EFFECTS the text turns red and has been save to my database, same effect when script is type. Need help pros. Thanks.

DumDumDummy
  • 81
  • 1
  • 9
  • If things are getting inadvertently saved to your database .. That's an injection problem. You need to sanitize your input message on the server side (php etc) before you process it. a little reading material .. http://php.net/manual/en/security.database.sql-injection.php – Zak Jan 20 '16 at 05:26
  • Is there any simple way to implement and avoid css and scripting? – DumDumDummy Jan 20 '16 at 05:47
  • There are frameworks that have sql injection protection. – Finduilas Jan 20 '16 at 07:15

1 Answers1

1

This is called XSS. Wikipedia:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users

To defend against XSS you need to convert < and > into html entities when you do the output, by using one of the following functions: htmlspecialchars or htmlentities.

You can take a look at this question to decide which one to use.

Alternative, if you want to allow only some tags, look at strip_tags function.

Community
  • 1
  • 1
HTMHell
  • 5,761
  • 5
  • 37
  • 79