PHP includes the mysql_real_escape_string() operate, that makes a string safe by adding escaping so it may be employed by alternative MySQL-related functions without concern of SQL injections. By escaping, I mean adding a slash ahead of any special characters. as an example, one quote (') would be regenerate to (\'). This tells MySQL that the only quote does not mark the top of a string however rather is a component of the string.
To protect against cross-site scripting, input has to be change to get rid of any and every one tags, as well as all hypertext mark-up language tags and others like <script>, <object>, and <embed>. PHP strip_tags() will take away HTML tags, and that we will use a string replace to get rid of the others.
As an extra precaution, you ought to take away all special characters, like / ' $ % and #,, from the string.
Working Example:
<?php
function make_input_safe($variable) {
$variable = php_strip_html_tags($variable);
$bad = array("=","<", ">", "/","\"","`","~","'","$","%","#");
$variable = str_replace($bad, "", $variable);
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}
?>
<?php
/*
Online PHP Examples with Source Code
website: http://4evertutorials.blogspot.in/
*/
function php_strip_html_tags( $text )
{
$text = preg_replace(
array(
// Remove invisible content
'@<head[^>]*?>.*?</head>@siu',
'@<style[^>]*?>.*?</style>@siu',
'@<script[^>]*?.*?</script>@siu',
'@<object[^>]*?.*?</object>@siu',
'@<embed[^>]*?.*?</embed>@siu',
'@<applet[^>]*?.*?</applet>@siu',
'@<noframes[^>]*?.*?</noframes>@siu',
'@<noscript[^>]*?.*?</noscript>@siu',
'@<noembed[^>]*?.*?</noembed>@siu'
),
array(
'', '', '', '', '', '', '', '', ''), $text );
return strip_tags( $text);
}
?>
0 comments:
Post a Comment