What are the best practices for avoiding xss attacks in a PHP site

Mar 12, 2012   //   by phpfreelancer.biz   //   Blog, PHP Tutorial  //  No Comments

have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:’htmlall’ modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

My approach to input/output security is:

store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)

Leave a comment

Share This Post

RSS Wordpress News

  • The WordPress.com Year in Review (and Resolutions for 2018) January 3, 2018
    It was quite a year for the WordPress.com community, and we've got a lot to look forward to.
  • Managing Your Blog On a Mobile Device December 13, 2017
    A few enhancements we've added to the iOS and Android apps for easier blogging.
  • New Premium Themes: Small Business and Photo Blog December 7, 2017
    Introducing two new premium themes: Small Business, made for your entrepreneurial endeavors, and Photo Blog, designed to make your photography shine.
  • Updated Privacy Policy December 4, 2017
    As part of our commitment to privacy and transparency, we’re updating our Privacy Policy. We want to give you more information about how we collect and use personal information — in a more organized and readable format. “Your privacy is critically important to us.” These are the first words of …
  • Update Your Avatar on WordPress.com October 12, 2017
    Manage, upload, and edit your profile photo at wordpress.com/me.
  • A New Media Picker for the iOS WordPress App October 9, 2017
    Sometimes it’s the extra touches that make all the difference; on your website, that’s the photos and video that give your content life. You asked for streamlined access to your media library and the camera and photos on your device, to make uploading and inserting photos and videos easier. We …