Thread: Mysql_real_escape_string and PDO statements
View Single Post
Old 11-30-2012, 07:33 PM   PM User | #10
felgall
Master Coder

 
felgall's Avatar
 
Join Date: Sep 2005
Location: Sydney, Australia
Posts: 5,447
Thanks: 0
Thanked 496 Times in 488 Posts
felgall is a jewel in the roughfelgall is a jewel in the roughfelgall is a jewel in the rough
Quote:
Originally Posted by angelali View Post
And can we add our traditional htmlentities or strip tags in PDO statements to protect against XSS?
You should use htmlentities when writing data out into HTML where the data can legitimately contain characters that might otherwise be misinterpreted as being a part of the HTML rather than as a part of the content.

You should use striptags where you want to convert HTML to plain text.

Neither has anything to do with databases.

Vakidating your data properly when it is first received from the user is the best way to prevent against XSS and also protects against your database getting filled with meaningless junk. If you validate your data properly then there is no possibility of XSS existing - it only happens because sites allow garbage to be entered in forms and don't validate it.

How many people do you know whose name or address looks like an SQL command?
__________________
Stephen
Learn Modern JavaScript - http://javascriptexample.net/
Helping others to solve their computer problem at http://www.felgall.com/
felgall is offline   Reply With Quote