StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POprevent xss on input fields?
text
Body
copied!<p>1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female. now please can someone explain me how to prevent xss attacks on this fields in php? my form data is like this</p> <pre><code><form action="register.php" method="post"> <div> <table> <tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr> <tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr> <tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr> <tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr> <tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr> <tr> <td><?php echo $lang['8'] ?> :</td> <td> <select name="day"> <option><?php echo $lang['9'] ?></option> <?php for($i=1;$i<=31;$i++){ echo "<option value=\"{$i}\">{$i}</option>\n"; } ?> </select> <select name="month"> <?php for($i=0;$i<=12;$i++){ $i = str_pad($i,2,"0",STR_PAD_LEFT); echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n"; } ?> </select> <select name="year"> <option><?php echo $lang['11'] ?></option> <?php for($i=1300;$i<=1373;$i++){ if($i == $birthdate['0']){ echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n"; }else{ echo "<option value=\"{$i}\">{$i}</option>\n"; } } ?> </select> </td> </tr> </table> male : <input type="radio" name="gender[]" />female : <input type="radio" name="gender[]" /><br /> <input type="submit" name="submit" value="<?php echo $lang['63']; ?>" onclick="formhash(this.form, this.form.password);"/> </div> </form> </code></pre> <p>for name and family i did somthing like this for get just html entity with this pattern </p> <pre><code>$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name); $family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family); </code></pre> <p>and for email i did like this:</p> <pre><code> $email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email); </code></pre> <p>is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars?</p> <p>2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them?</p> <p>3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe?</p> <p>thanks in advance.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload