I am trying to create data validation code in PHP and was wondering how to go about that. I understand that someone can Inject code or scripts through the input boxes on my website. I am preventing entrance of characters such as < " / \ but I don't know what else to use. For example I am accepting data into a $var and if someone enters echo "<div style = "position: fixed; height: 1000px; width: 100%" ></div>" whatever this will do, it will still run if I accept it into my $var right and run the code? Unless the host has mechanisms to prevent that
Asked
Active
Viewed 51 times
-2
user3238382
- 31
- 1
- 5
1 Answers
0
No, it won't just run the code. What you're talking about is cross site scripting (XSS) which you should worry about how you display $var to the end user, not what is accepted into $var.
Keep in mind, an HTML tags means nothing in PHP. It is only when it is displayed to the user's browser that something takes effect. So when you display this to the user, you should convert HTML entities:
echo htmlentities($var);
Devon Bessemer
- 34,461
- 9
- 69
- 95