0

So I know that you can do $words = htmlspecialchars($_POST['name']); in php to escape the special characters and prevent some html injection.

But I'm having trouble actually implementing it into my php code. I was reading that you have to use it before you display whatever it is you're displaying to the viewer of the site but I'm lost as to how to do this. I am a bit of a beginner with php.

So i was able to do the sql injection part but here's the part of the code where I am stuck at, as I described above.

I am trying to prevent html injection for title blog and tag

$result= mysql_query("SELECT * FROM Bpost");

echo '<div class = "blog" align = "center">';
    while($row = mysql_fetch_array($result))
        {

        echo "<div class = 'tname'>";
        echo $row['title']; 
        echo '</div>';

        echo '<div class = "bpost">';
        echo $row['blog'];
        echo '</div>';

        echo '<div class = "tag">';
        echo $row['tags'];
        echo '</div>';
        echo '</br>';

        }
echo '</div>';

If you need sample code from my other stuff let me know. To me this seem like this was enough.

4

1 回答 1

2

Just change echo $row['title']; to echo htmlspecialchars($row['title']); (and repeat for all the other user-generated data) and you're set.

于 2012-12-12T22:14:55.033 回答