I wanted to know how to protect input from script code attacks in the input boxes, if anyone knows how to do it helps a lot
<form method="POST" action="index.php?page=dados_encomenda">
<input type="text" class="form-control" name= "nome" id="nome" placeholder="Introduza o seu nome" required>
<button type="submit" class="btn btn-primary"><span class="glyphicon">
</span>Encomendar</button>
</form>
What you should do is to use htmlentities() when display the result.
This is vulnerable:
// Input:
$Nome = $_POST['nome'];
// Output:
echo $Nome;
This is relatively safe against XSS:
// Input:
$Nome = $_POST['nome'];
// Output:
echo htmlentities($Nome, ENT_QUOTES | ENT_HTML5, 'UTF-8');
ENT_QUOTES is used for PHP to escape ' and also " . Since ENT_HTML5 and UTF-8 is used to define the "language" that we are "communicating", basically the same principle that we have to do when we use mysqli_real_escape_string . To be sure we have the control over the character encoding and that it is the same as specified by the htmlentities set it to <meta> and also to the header of Content-Type . >
Never save the result of htmlentities , Wordpress , that publicly says that security is not a priority
How can everything go wrong?
We still have some features to prevent the damage of an XSS from being larger, set a cookie to "httpOnly" and "Secure", requires HTTPS , using
session.cookie_httponly = On
session.cookie_secure = On
Use the Content-Security-Policy header to prevent loading external content to the site and define which sites are trusted, for example:
Content-Security-Policy: script-src 'self' https://cdn.example.net https://ajax.googleapis.com https://www.google-analytics.com; child-src 'none'; object-src 'none'; upgrade-insecure-requests
This will prevent anyone from uploading a% of insecure.com .
Recommended links: