assuming I parse a logfile that has been submitted by some user and store the parsed data in a MySQL database.
Now if a user is mean enough he could submit a logfile that contains a line similiar to nickname=<script>alert(hello);<script>. The parser would grab everything behind the equals sign and execute an INSERT INTO nicknames (name) VALUE ('<script>alert(hello);</script>').
I have tried around a bit and figured that mysqli_real_escape_string() is preventing a line in logfile such as nickname=' AND 1 = 2 from breaking the query by escaping the '.
I assumed it would also deal with <script>/</> and other codes/characters, but apparently I was wrong.
In the case mentioned above, when a user submits a logfile containing the line nickname=<script>alert(hello);<script>, the nicknames.name column will hold the value <script>alert(hello);<script>.
Later those values are read from the table and are displayed, one nickname per row in a <table> on a website. Ofcourse it won't display the "nickname" in this case; the cross-site-script is being executed. Instead of a table row containing a nickname a message box pops up saying 'hello'.
Is there any common way to prevent cross-site-scripting with a function similiar to mysqli_real_escape_string()? What is the proper solution to this problem, or maybe even the best?
Ofcourse I could strip off the < and > before INSERTing into the column, but I would prefer a way that would just display the nickname even with a <script> tag in it, in the table.
Regards