php - MySQL how to properly deal with rows containing code/cross-site-scripting? -


assuming parse logfile has been submitted user , store parsed data in mysql database.

now if user mean enough submit logfile contains line similiar nickname=<script>alert(hello);<script>. parser grab behind equals sign , execute insert nicknames (name) value ('<script>alert(hello);</script>').

i have tried around bit , figured mysqli_real_escape_string() preventing line in logfile such nickname=' , 1 = 2 breaking query escaping '. assumed deal <script>/</> , other codes/characters, apparently wrong.

in case mentioned above, when user submits logfile containing line nickname=<script>alert(hello);<script>, nicknames.name column hold value <script>alert(hello);<script>.

later values read table , displayed, 1 nickname per row in <table> on website. ofcourse won't display "nickname" in case; cross-site-script being executed. instead of table row containing nickname message box pops saying 'hello'.

is there common way prevent cross-site-scripting function similiar mysqli_real_escape_string()? proper solution problem, or maybe best?

ofcourse strip off < , > before inserting column, prefer way display nickname <script> tag in it, in table.

regards

you can use htmlspecialchars convert html tags syntax respective entities. cause literal value of <script>alert('name');</script> displayed rather being interpreted script block


Comments

Post a Comment

Popular posts from this blog

c++ - importing crypto++ in QT application and occurring linker errors? -

i trying use crypto++ sankore-3.1 qt program, i've installed qt sdk 4.8.1 using vc++ 2010 compiler. i've compiled , built crypto++ using microsoft visual studio 2010, , have needed lib files, include .h files , dll file in hand. i testes these library simple qt application in empty project using qt creator, added libraries .pro file , run successfully. .pro file blow: win32:config(release, debug|release): libs += -l$$pwd/../../dokuman/sankore- 3.1/plugins/cryptopp/win32/dll_output/release/ -lcryptopp else:win32:config(debug, debug|release): libs += -l$$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/win32/dll_output/debug/ -lcrypto includepath += $$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/include dependpath += $$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/include sources += \ main.cpp win32:config(release, debug|release): libs += -l$$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/win32/output/release/ -lcryptlib else:win32:config(debug, de...
Read more

javascript - addthis share facebook and google+ url -

i attempting use addthis create simple url shares whichever current page user on when click share button. of right now, have twitter working. when user clicks, able see url populated in tweet box. when user clicks facebook or google+, url doesn't seem show in share box. <ul class="addthis_toolbox addthis_default_style "> <li><a class="addthis_button_facebook"><img src="/img/facebook-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_twitter"><img src="/img/twitter-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_google_plusone_share"><img src="/img/google-social.png" width="20" height="20" border="0" alt="s...
Read more

ios - Show keyboard with UITextField in the input accessory view -

i have buttona , when buttona clicked, want keyboard show uitextfield in inputaccessoryview. there way have keyboard show manually , set inputaccessoryview without having uitextfield initially? thanks. you cannot summon keyboard without object can become first responder. there 2 ways work around: subclass uiview , implement uikeyinput protocol in it. example: in .h file: @interface inputobject : uiview<uikeyinput> @property (nonatomic, copy) nsstring *text; @property (nonatomic, strong) uiview *inputaccessoryview; // must override inputaccessoryview , since it's readonly default @end in .m file, implement protocol: - (bool)canbecomefirstresponder { return yes; } - (bool)hastext { return [self.text length]; } - (void)inserttext:(nsstring *)text { nsstring *selftext = self.text ? self.text : @""; self.text = [selftext stringbyappendingstring:text]; [[nsnotificationcenter defaultcenter] postnotificationname:kinputobjec...
Read more