I want my users to be able to comment using Markdown and avoiding XSS.
What is the correct sequence of actions to do ?
This is my understanding of how it works:
user input via HTML form using Markdown syntax
$Input = markdown(mysql_real_escape_string($_POST['userInput']));
insert $input into database
And then, Do I need also to use htmlspecialchars ?
分享 mysql_real_escape_string is used to avoid SQL INJECTION. Because it escapes SQL.
XSS can be avoided using strip_tags(), preg_match() and htmlspecialchars() together
XSS is based on html tags that contains exploits. For example scripts in java script, or redirections, or opening files in tags.
strip_tags() removes html tags. Also there is one more interesting function called
htmlspecialchars() for preventing XSS.
The most imporant things to prevent sql injection attack
so first you should validate data, then sanitize it and finally escape it using htmlspecialchars.
分享
