Preventing Cross-Site Scripting

Security is very important part of the work when it comes to building web applications. There are many methods you can use in order to make your web application more secure. Very often, improved security can be a hassle for regular users, and that is the price you need to pay for more secure application.

One of the methods that malicious users can try on web site is XSS Atack or Cross Site Scripting. If web site allows users to enter data in the form, that data can automatically become a threat as the user has freedom to enter anything in the form. If the data is not properly formatted, it could be dangerous for the site.

The code that could harm the web site would usually be written in client side language like javascript. To protect web site from this kind of attack, we can use few PHP functions that will validate user inputs so it can’t make any harm.

Some of the functions that we can apply in this case are strip_tags(),
htmlentities() and htmlspecialchars().

htmlentities() will prevent any HTML code to be shown on web page. This function will translate every of the HTML characters into symbols

strip_tags() function will strip all the tags, whether it’s html, javascript or PHP. This function is very useful as it stops any code from being parsed.

htmlspecialchars() is similar to htmlentities() function, except that this one translate only some of the HTML characters while others are preserved. You can see the exact list of characters on php.net manual.

Leave a Reply

Your email address will not be published. Required fields are marked *