How to avoid Javascript code from entering the database !!

[careerbridge]

Hi again,

When my clients post some data into my site, I need to prevent scripts (javascript codes) from entering my database. Bcose this codes may crack my site.

If u ppls know any standard method for doing this, please let me know.
I am using php...

Jim Jose

 

[Bryon]

Do you currently filter or verify user input at all?

Javascript code will not be executed unless it is "within" tags such as these:

<script type="text/javascript">  .. </script>
<script> .. </script>
<script [other attributes ..]> .. </script>

I have found that the easiest way to prevent against this is to just strip all HTML/markup tags from a given string. The easiest way to do this is to use the PHP function "strip_tags()", which removes all tags from the supplied arguement.

With the function you can also specify tags that you do not want to strip, such as "text formatting" HTML tags.

Example:

<?php
..
   $userInput = '<b>Hey!!</b> <i>Look, this shouldn\'t be here!!</i> <script> alert(\'XSS Hole!!\'); </script>';
   $cleanedInput = strip_tags($userInput); // Would take *all* tags out of string.
   $cleanedInput = strip_tags($userInput, '<b><i>'); // Would take *all* tags out of string except for the <b> and <i> tag(s).
..
?>

Hopefully that is a sufficient answer for you.. Let me know if you need something else or what not.

 

[careerbridge]

Ok I got it.... thanks a lot Bryon !! That was exactly what I need !!

 

[IncarcerationX]

Make sure you only put these tags in places where users are allowed to input data. If you put that code snippet into the wrong place, it could screw up your entire website.

 

[careerbridge]

I know, I am also using preg_replace according to convenience!