htmlentities function to avoid xss injection attacks (4 posts)

  1. Simone
    Posted 3 years ago #

    I am doing a site for a client, a very security oriented client, and they told me I need to do the following:

    You will need to do the encode on the server-side... In PHP, you can use the htmlentities() function to encode or escape non-alphanumeric characters, i.e.
    $clean_email = htmlentiities($_POST['email');

    I am trying to secure a contact form with the typical Name, Email, Message.

    Can anyone help me with this? What code and where do I need to add it? (Fucntions.php?) thanks!


  2. linux4me2
    Posted 3 years ago #

    That's a little old-fashioned. Maybe the server you're on is using an old version of PHP? These days, you sanitize a submitted email address using:
    $clean_email = filter_input(INPUT_POST, 'dirty_email', FILTER_SANITIZE_EMAIL);
    where "dirty_email" is the name of the form field that is submitted by POST. There is a corresponding function for GET. You would put it wherever your form-handling code is; i.e., where the code is that receives the user-submitted data and before you do anything with the data.

    My question is, why are you doing this when there are so many good form plug-ins out there that will add features and decrease your development time, like Fast Secure Contact Form, for example? There are a bunch of them.

  3. Simone
    Posted 3 years ago #

    Good point.. Thanks, you're a life saver

    PS - I was using the default contact form from a theme

  4. MickeyRoush
    Posted 3 years ago #

    WordPress has it's own built in function for that. If your theme is not properly coding this, you might want to contact them.


Topic Closed

This topic has been closed to new replies.

About this Topic