what can I do to prevent xss code?

Question

I have escaped my fields, but when I make an xss code like <script>alert(one frame);</script> then the table which is specially for display the date the xss code is sent it to my database. I want when I make my own xss code dont send the JS script to my database.

$code    = trim(stripslashes(htmlspecialchars($_POST['code'])));
            $product = trim(stripslashes(htmlspecialchars($_POST['product'])));
            $result = new sale();
            $sale_type = $result->getTypeSaleById($_POST['sale_type']);
            $purchase_price   = trim(stripslashes(htmlspecialchars($_POST['purchase_price'])));
            $sale_price   = trim(stripslashes(htmlspecialchars($_POST['sale_price'])));
            $min_stock   = trim(stripslashes(htmlspecialchars($_POST['min_stock'])));
            $stock   = trim(stripslashes(htmlspecialchars($_POST['max_stock'])));

my controller

case 'add_product':
            if(isset($_POST['code']) && $_POST['code']!= '' && isset($_POST['product']) && $_POST['product']!= '' && isset($_POST['sale_type']) && $_POST['sale_type']!= '' && isset($_POST['purchase_price']) && $_POST['purchase_price']!= 0 && isset($_POST['sale_price']) && $_POST['sale_price']!= 0 && isset($_POST['min_stock']) && $_POST['min_stock']!= '' && isset($_POST['max_stock']) && $_POST['max_stock']!= '' ){
                $code    = trim(stripslashes(htmlspecialchars($_POST['code'])));
                $product = trim(stripslashes(htmlspecialchars($_POST['product'])));
                $result = new sale();
                $sale_type = $result->getTypeSaleById($_POST['sale_type']);
                $purchase_price   = trim(stripslashes(htmlspecialchars($_POST['purchase_price'])));
                $sale_price   = trim(stripslashes(htmlspecialchars($_POST['sale_price'])));
                $min_stock   = trim(stripslashes(htmlspecialchars($_POST['min_stock'])));
                $stock   = trim(stripslashes(htmlspecialchars($_POST['max_stock'])));
                $newProduct = new product();
                if($newProduct->add($code,$product,$sale_type,$purchase_price,$sale_price,$min_stock,$stock)){
                    echo "success";
                }else{
                    echo "it cannot be added";
                }
            }
            else{
                echo "something went wrong";
            }
        break;

my javascript function

  function addProduct(){
   var code    = $('#code').val();
   var product = $('#product').val();
   var sale_type = $('#sale_type').val();
   var purchase_price  = $('#purchase_price').val();
   var sale_price = $('#sale_price').val();
   var min_stock  = $('#min_stock').val();
   var max_stock = $('#max_stock').val();
   var valCheck = verificar();
     if(valCheck == true){
      $.ajax({
              url: '../controller/product_controller.php',
              type: 'POST',
              data: 'code='+code+'&product='+product+'&sale_type='+sale_type+'&purchase_price='+purchase_price+'&sale_price='+sale_price+'&min_stock='+min_stock+'&max_stock='+max_stock+'&boton=add_product',
      }).done(function(ans){
      if(ans == 'success'){
              $('#code,#product,#purchase_price,#sale_price').val("");
              $('#sale_type').val('0');
              $('#min_stock,#max_stock').val('0');
              $('#success').show().delay(2000).fadeOut();
              searchProduct('','1');
      }else{
              alert(ans);
        }
      })
    } 
    else {
     }
}

XSS code in database datable

Not that. You need to call the correct escaping method _when you concatenate user input into HTML or Javascript_. — SLaks, Jun 05 '16 at 18:24
This [answer](http://stackoverflow.com/a/7697820/1022914) might be useful. Also if you are using prepared statements for your database queries, you shouldn't be stripping slashes. — Mikey, Jun 05 '16 at 18:26
'{$variable}' < is this one way of prepared statements? because some people say it isn't, but anyway how can I modify my code when someone wants to my xss code don't send it to my database — Luis Osuna, Jun 05 '16 at 18:30
**No.** Hopefully by now, you are using mysqli or better PDO. Please read this [answer](http://stackoverflow.com/a/24989031/1022914) which gives a good explanation on prepared statements. — Mikey, Jun 05 '16 at 18:33

score -1 · Answer 1 · answered Jun 05 '16 at 18:30

-1

While displaying data from database, use htmlspecialchars() function.

answered Jun 05 '16 at 18:30

Paras Jain

393
2
8

i have htmlspecialchars(), but I dont want to my xss code apper in the table data like: id = – Luis Osuna Jun 05 '16 at 18:34
In that case, how do you want it to look like in your database? You can even use htmlentitites() or htmlspecialchars() while saving to database but it's generally not recommended! – Paras Jain Jun 05 '16 at 18:53

what can I do to prevent xss code?

1 Answers1