What Is Cross Site Scripting Xss And How To Prevent It
Cross-Site Scripting (XSS) isn’t necessarily an actual “cross-site” attack, instead its essentially an insertion of client-side script code placed strategically such that users will execute them. This is possible when output from the website isn’t properly escaped, thereby allowing extra code to be added.
Input to Database query_db(INSERT INTO the_table (column_name) VALUES ('" . escape($_GET["column_name"]) . "'));
Output From Database echo HTMLSPECIALCHARS(query_db("SELECT column_name FROM table_name WHERE id = value"));
Combine Input & Output Escaping $item = HTMLSPECIALCHARS(ESCAPE($_GET["column_name"])); query_db("INSERT INTO table_name (column_name) VALUES('$item')"); echo query_db("SELECT column_name FROM table_name WHERE id = " . just_inserted_id());