Learning PHP and MySQL
Monday, September 25, 2006
Cross-Site Scripting Attacks
To guard against these attacks, you should pass any strings that came from a user through the htmlentities function. It takes the format:
htmlentities(string_to_clean)
For example:
print "The title of the book is: " .
htmlentities($_POST['title']);
Here’s an example of what htmlentities does to the string:
<?php
$sample = "A sample is <i>italics</i>";
echo htmlentities($sample);
?>
When executed, this returns:
A sample is <i>italics</i>
Here’s a script to display the title table with the htmlentities functionality added:
<?php require_once('db_login.php'); require_once('DB.php');
$connection = DB::connect("mysql://$db_username:$db_password@$db_host/$db_database");
if (DB::isError($connection)){
die ("Could not connect to the database: <br />". DB::errorMessage($connection));
}
// Dislplay the table
$query = "SELECT * FROM `books`";
$result = $connection->query($query);
if (DB::isError($result)){
die("Could not query the database: <br />".$query." ".DB::errorMessage($result));
}
echo '<table border="1">';
echo "<tr><th>Title</th><th>Pages</th></tr>";
while ($result_row = $result->fetchRow(DB_FETCHMODE_ASSOC)) {
echo "<tr><td>";
echo htmlentities($result_row["title"]) . '</td><td>';
echo htmlentities($result_row["pages"]) . '</td></tr>';
}
echo "</table>";
$connection->disconnect();
?>
Chapter 12 Code • (5) Comments • (75) Trackbacks • Permalink
Statistics
This page has been viewed 407287 times
Page rendered in 0.1924 seconds
Total Entries: 224
Total Comments: 16
Total Trackbacks: 307338
Most Recent Entry: 09/27/2006 12:39 pm
Most Recent Comment on: 10/26/2007 10:00 am
Total Members: 2
Total Logged in members: 0
Total guests: 10
Total anonymous users: 0
Most Recent Visitor on: 05/19/2012 05:44 am
The most visitors ever was 1103 on 11/20/2007 12:50 pm
