this question has answer here:
- how prevent xss html/php? 8 answers
so, i've got form enters database , values echoed on page. have been trying figure out how disable code being processed when put through form.
this form:
<div id="postform"> <form method="post" action="post.php" id="messageform" autocomplete="off"> <table border="0" align="center"> <tr><td id="formblock"><span>name</span></td> <td><input id="messagename" name="name" type="text" value="anonymous" maxlength="32" required> <input style="margin-right: -1px; margin-left: -4px;" type="submit" name="submit" value="send message"></td></tr> <tr><td id="formblock"><span>title</span></td> <td><input id="messagetitle" name="title" type="text" maxlength="32" width="20"></td></tr><br> <tr><td id="formblock"><span>message</span></td> <td><textarea onkeyup="countchar(this)" name="message" rows="6" cols="50" form="messageform" maxlength="2000" style="font-family: arial;" required></textarea></td></tr> </table> </form> <table align="center" style="width: 290px; border: 0px;"> <td><div id="warningtext" style="font-size: 10px; margin-top: -15px;">please read faq before posting!</div></td> <td><div id="messagetext" style="font-size: 10px; margin-top: -15px; text-align: right;"></div></td> </table> </div> and how entries being echoed:
<div id="messages"> <?php $servername = "localhost"; $username = "user"; $password = "pass"; $dbname = "db_posts"; $tablename = "posts"; $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("failed connect: " . $conn->connect_error); } $sql = "select id, rating, name, title, message, date, time posts order date desc, time desc"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { echo "<br><div id='messagebar'><b><a class='rateup' href='index.php' data-id=' " . $row['id'] . " ' title='vote up'>▲</a> "; echo $row["rating"]; echo " <a class='ratedown' href='index.php' title='vote down'>▼</a> </b>"; echo "posted <b>"; echo $row["name"]; echo "</b> on "; echo $row["date"]; echo " @ "; echo $row["time"]; if (!empty($row['title'])) { echo " - <b>"; echo $row["title"]; echo "</b>"; } echo "<span style='float: right'>#"; echo $row["id"]; echo "</span>"; echo "</div><div id='messagecontent'>"; echo $row["message"]; echo "</div><br><hr>"; } } else { echo "<br>"; echo "<center><i>it's dusty in here</i></center>"; echo "<br>"; } $conn->close(); ?> </div> i'm sure there's better way can echo of data, if has suggestions feel free let me know.
tl;dr: if enters <b>text</b> form, want echo <b>text</b>.
it's common encode user data it's rendered screen. don't use php, can use htmlentities() function.
this way, characters interpreted commands in browser encoded display entered originally.
