-4

Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site

Is this enough to protect me from XSS 

$title = preg_replace('/<[^>]*>/', '', $titleGet);

I use this before insert into DB

Community
  • 1
  • 1
Ben
  • 1,906
  • 10
  • 31
  • 47
  • No, and instead you might want to use [`strip_tags`](http://php.net/strip_tags). Which does not handle all XSS cases as well, just saying, so double no. Without any context the absolut safe way to prevent XSS is to disallow input if you're looking for a global way of doing things. – hakre Mar 03 '12 at 18:03
  • 2
    Arbitrarily throwing away bits of input is rarely a good solution to any XSS problem. – Quentin Mar 03 '12 at 18:04
  • You should research prepared statements and placeholders. Injecting user data directly into your SQL statements is The Wrong Way To Do It. – Brian Roach Mar 03 '12 at 18:05
  • I use PDO prepare statements but first i remove any html code.And i just asked is this a enough – Ben Mar 03 '12 at 18:09

1 Answers1

0

If you want to protect your forms against XSS attacks and still let some HTML through I recommend looking at something like HTML Purifier (http://htmlpurifier.org/).

Dan Murfitt
  • 1,029
  • 2
  • 12
  • 26