I need to prevent from XSS attacks when I echoing variables in PHP.
For example, just assume I have two values from my database, one for username and the other one is email address.
$username
$email
So now I want to prevent from XSS attack when I using these variables in my HTML
.
I tried it something like this using htmlspecialchars()
-
<h5>Editing User <?php echo '"<strong>'.htmlspecialchars($username, ENT_QUOTES, 'UTF-8').'"</strong> (<strong>'; echo htmlspecialchars($email, ENT_QUOTES, 'UTF-8').'</strong>)'; ?></h5>
This is rendered HTML
from above PHP
<h5>Editing User <strong>test_user</strong> (<strong>example@gmail.com</strong>)</h5>
So, can somebody tell me is this the correct way do I need to go? If not so what is the correct way?
Hope somebody may help me out. Thank you.