dprichard
01-29-2008, 06:12 PM
Okay, I am just learning about cross site scripting and was trying to clear up some questions I have. When I have user submitted information and it is going into a database I have been using mysql_real_escape_string to stop sql injections. I have just recently learned about XSS and am trying to make sure I understand when and how to protect my sites and users from this.
1. When I insert data into a database do I need to just use mysql_real_escape_string or do I also need to filter the data for XSS input?
2. To filter for XSS is it okay to just use htmlspecialchars or do I need to use a special function as well.
3. I found this function at quickwired is this sufficient and if I use this should I not use htmlspecialchars or should I use both?
http://quickwired.com/smallprojects/php_xss_filter_function.php
Sorry if I sound like a noob, but I want to make sure I have just started hand coding everything versus using dreamweaver coding and want to make sure I handle this the right way.
1. When I insert data into a database do I need to just use mysql_real_escape_string or do I also need to filter the data for XSS input?
2. To filter for XSS is it okay to just use htmlspecialchars or do I need to use a special function as well.
3. I found this function at quickwired is this sufficient and if I use this should I not use htmlspecialchars or should I use both?
http://quickwired.com/smallprojects/php_xss_filter_function.php
Sorry if I sound like a noob, but I want to make sure I have just started hand coding everything versus using dreamweaver coding and want to make sure I handle this the right way.