PHP Forms
Preventing Cross-Site Scripting
Problem
You want to securely display user-entered data on an HTML page. For example, you want to allow users to add comments to a blog post without worrying that HTML or JavaScript in a comment will cause problems.
Solution
Example Escaping HTML
print 'The comment was: ';
print htmlentities($_POST['comment']);
Discussion
PHP has a pair of functions to escape HTML entities. The most basic is htmlspecial chars(), which escapes four characters: < > " and &. Depending on optional parameters, it can also translate ' instead of or in addition to ". For more complex encoding, use htmlentities(); it expands on htmlspecialchars() to encode any character that has an HTML entity.
Example Escaping HTML entities
$html = "<a href='fletch.html'>Stew's favorite movie.</a>\n";
print htmlspecialchars($html); // double-quotes
print htmlspecialchars($html, ENT_QUOTES); // single- and double-quotes
print htmlspecialchars($html, ENT_NOQUOTES); // neither
Example prints:
<a href='fletch.html'>Stew's favorite movie.</a>
<a href='fletch.html'>Stew's favorite movie.</a>
<a href='fletch.html'>Stew's favorite movie.</a>
By default, both htmlentities() and htmlspecialchars() use the UTF-8 character set (as of PHP 5.4.0. Before that, the default was ISO-8859-1). To use a different character set, pass the character set as a third argument. For example, to use BIG5, call htmlentities($string, ENT_QUOTES, "BIG5").
No comments:
Post a Comment