htmlentities function to avoid xss injection attacks

  • Simone

    (@simonttz)


    13 years, 5 months ago

    I am doing a site for a client, a very security oriented client, and they told me I need to do the following:

    You will need to do the encode on the server-side… In PHP, you can use the htmlentities() function to encode or escape non-alphanumeric characters, i.e.
    $clean_email = htmlentiities($_POST[’email’);

    I am trying to secure a contact form with the typical Name, Email, Message.

    Can anyone help me with this? What code and where do I need to add it? (Fucntions.php?) thanks!

    -Simone

Viewing 3 replies - 1 through 3 (of 3 total)
  • linux4me2

    (@linux4me2)

    13 years, 5 months ago

    That’s a little old-fashioned. Maybe the server you’re on is using an old version of PHP? These days, you sanitize a submitted email address using:
    $clean_email = filter_input(INPUT_POST, 'dirty_email', FILTER_SANITIZE_EMAIL);
    where “dirty_email” is the name of the form field that is submitted by POST. There is a corresponding function for GET. You would put it wherever your form-handling code is; i.e., where the code is that receives the user-submitted data and before you do anything with the data.

    My question is, why are you doing this when there are so many good form plug-ins out there that will add features and decrease your development time, like Fast Secure Contact Form, for example? There are a bunch of them.

    Thread Starter Simone

    (@simonttz)

    13 years, 5 months ago

    Good point.. Thanks, you’re a life saver

    PS – I was using the default contact form from a theme

    MickeyRoush

    (@mickeyroush)

    13 years, 5 months ago

    WordPress has it’s own built in function for that. If your theme is not properly coding this, you might want to contact them.

    http://codex.ww.wp.xz.cn/Function_Reference/esc_attr

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘htmlentities function to avoid xss injection attacks’ is closed to new replies.