XSS Prevention in PHP Cheat sheet pdf - Cross Site Scripting examples

XSS (Cross Site Scripting) Prevention in PHP

In this Article,I will show how to prevent XSS in PHP. Cross Site Scripting occurs, when an attacker uses a Web Application to send a malicious script(Javascript,VBScript,HTMl Script), Most often Malicious Data comes from the HTTP request.This script can access cookies,sessions and other information stored by your browser.These scripts even change the content of HTML Page.

XSS (Cross Site Scripting) Prevention in PHP

There are Two types of XSS Attackes:

1.Stored XSS Attackes:  Malicious code permanantly stored on server such as  in Database ,Comment..etc
2.Reflected XSS Attacks: Injected Code reflected off the Web server such as error message,Search results..etc

XSS (Cross Site Scripting) Prevention in PHP Cheat sheet:

- Untrusted User Input Data:
Most often Malicious Data comes from the HTTP request.Never trust data coming from the user.you should not insert or send it anywhere without taking steps to make sure that any attacks are detected .you have to validate all user input data using PHP functions before Insert into database or send it to anywhere.

- Validation:
   Validate all user input data ($_GET, $_POST, $_REQUEST, $_COOKIE) using Regular expressions,Javascript and PHP functions to prevent XSS attacks.

- Some PHP functions that helps you to prevent XSS attacks

1.htmlspecialchars: htmlspecialchars Converts all special characters to HTML entities.(<, >, &, ‘, “.).

2.strip_tags: Used to strip HTML and PHP tags from a string.

3.mysql_real_escape_string: Escapes special characters in a string for use in an MySQL statement

4.Encode URL Query String Parameters.

- You can use htmlentities and stripslashes php functions for Retrieving and Displaying the Data From the Database.

- Use Escape methods (HTML Escape,Javascript Escape,CSS Escape) for XSS (Cross Site Scripting) Prevention.

- Always Use XHTML.

I hope This article will help you to prevent XSS Attacks.

For more Inforamation about XSS Cheat sheet click here