WordPress.org

Ready to get started?Download WordPress

Forums

htmlentities function to avoid xss injection attacks (4 posts)

  1. Simone
    Member
    Posted 1 year ago #

    I am doing a site for a client, a very security oriented client, and they told me I need to do the following:

    You will need to do the encode on the server-side... In PHP, you can use the htmlentities() function to encode or escape non-alphanumeric characters, i.e.
    $clean_email = htmlentiities($_POST['email');

    I am trying to secure a contact form with the typical Name, Email, Message.

    Can anyone help me with this? What code and where do I need to add it? (Fucntions.php?) thanks!

    -Simone

  2. linux4me2
    Member
    Posted 1 year ago #

    That's a little old-fashioned. Maybe the server you're on is using an old version of PHP? These days, you sanitize a submitted email address using:
    $clean_email = filter_input(INPUT_POST, 'dirty_email', FILTER_SANITIZE_EMAIL);
    where "dirty_email" is the name of the form field that is submitted by POST. There is a corresponding function for GET. You would put it wherever your form-handling code is; i.e., where the code is that receives the user-submitted data and before you do anything with the data.

    My question is, why are you doing this when there are so many good form plug-ins out there that will add features and decrease your development time, like Fast Secure Contact Form, for example? There are a bunch of them.

  3. Simone
    Member
    Posted 1 year ago #

    Good point.. Thanks, you're a life saver

    PS - I was using the default contact form from a theme

  4. MickeyRoush
    Member
    Posted 1 year ago #

    WordPress has it's own built in function for that. If your theme is not properly coding this, you might want to contact them.

    http://codex.wordpress.org/Function_Reference/esc_attr

Topic Closed

This topic has been closed to new replies.

About this Topic