1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female. now please can someone explain me how to prevent xss attacks on this fields in php? my form data is like this
<form action="register.php" method="post">
<div>
<table>
<tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr>
<tr>
<td><?php echo $lang['8'] ?> :</td>
<td>
<select name="day">
<option><?php echo $lang['9'] ?></option>
<?php
for($i=1;$i<=31;$i++){
echo "<option value=\"{$i}\">{$i}</option>\n";
}
?>
</select>
<select name="month">
<?php
for($i=0;$i<=12;$i++){
$i = str_pad($i,2,"0",STR_PAD_LEFT);
echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n";
}
?>
</select>
<select name="year">
<option><?php echo $lang['11'] ?></option>
<?php
for($i=1300;$i<=1373;$i++){
if($i == $birthdate['0']){
echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n";
}else{
echo "<option value=\"{$i}\">{$i}</option>\n";
}
}
?>
</select>
</td>
</tr>
</table>
male : <input type="radio" name="gender[]" />female : <input type="radio" name="gender[]" /><br />
<input type="submit" name="submit" value="<?php echo $lang['63']; ?>" onclick="formhash(this.form, this.form.password);"/>
</div>
</form>
for name and family i did somthing like this for get just html entity with this pattern
$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name);
$family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family);
and for email i did like this:
$email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email);
is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars?
2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them?
3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe?
thanks in advance.
HTMLPurifier is a very good and enough to prevent XSS attacks, and here is how you can use it.
# In register.php page: require_once 'path/to/HTMLPurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); $config->set("HTML.Allowed", ""); // this will NOT allow any html tags $purifier = new HTMLPurifier($config); # hash the provided password (don't apply HTMLPurifier on the password) $hash_password = sha1($_POST["password"]); $data = array(); # apply HTMLPurify on all submitted data foreach ($_POST as $key => $value) { $data["$key"] = mysql_real_escape_string($purifier->purify($value)); } # get birthday $data["birthday"] = $data["year"] . "-" . $data["month"] . "-" . $data["day"]; # insert submitted data into your database $result = mysql_query(" INSERT INTO table_name (name, family, email, password, birthday, gender) VALUES ('{$data["name"]}', '{$data["family"]}', '{$data["email"]}', '$hash_password', '{$data["birthday"]}', '{$data["gender"]}') "); ?>
NOTE: use male
and female
as values of the name
attributes of the 2 radio input tags instead of the gender[]
array
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.