Menu
I just have one simple question about XSS attack. I know that you can prevent them by sanitizing the form inputs, but my question is, how about a search input (a general search on a website for example)? Should we sanitize search inputs as well? I mean, it's just a search input, the user should be able to search for anything that he/she wants on the website. Please provide me with some clarification on this.
Thank you
249
I know that you can prevent them by sanitizing the form inputs
nope, you should prevent them by sanitizing the output. So in database (or wherever) you need to pass the data as-is, and process it right before you show it to user
53
Tho this has already been answered by zerkms
Doing sanitizing on sql injections from any user input that touches the database requires mysql_real_escape_string($_REQUEST['search'])
On output if your showing what user searched for like "You searched for:" use htmlentities(strip_tags($_REQUEST['search']), ENT_QUOTES);
Then your safe from incoming and outgoing
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
