PHP Programming
Group for all things PHP, Coding Help, Problems and Solutions
108 Members
Join this group to post and comment.
Information Technology
20 Jan 2019

How to prevent our PHP code by cross site scripting?

Cross site scripting(XSS) is a type of computer security vulnerability found in Web based applications. XSS enables attackers to inject client-side script into web application viewed by other users. It may be used by the attackers to bypass access controls such as the same-origin policy.

Take example of a blog, if you have a blog and you allow people to comment and if someone enters unusual data and it gets saved in your database. The unusual data is some sort of vulnerability that will give access of database to the attacker. The PHP code should be proper escaped, an attacker could enter JavaScript code into the blog comment.

You can prevent XSS attacks by escaping your output using htmlspecialchars() or htmlentities(). Both PHP functions converts problematic characters into HTML entities causing the injected code to be output harmlessly and not rendered.

The htmlentities will encode ANY characters that has an HTML entity equivalent. The htmlspecialchars ONLY encode a small set of the most problematic characters. Its generally recommended to us htmlspecialchars because htmlentities can cause display problems with your text depending on characters are being outout.