Which is better method to prevent XSS attacks? Here is the code I am trying to do.
Is this line of code enough to prevent XSS attacks? or Do I have to parse each element with 'strip_tags'. Thank you for any suggestions.
$xss = array_map('strip_tags', $_POST);
In this method I have to change a lot of form elements with 'strip_tags'.
$f_name = strip_tags($_POST["f-name"]); $a_id = isset($_POST['a_id']) ? (int)strip_tags($secure_POST['a_id']) : 0; $qry = $pdo_conn->prepare('INSERT INTO TABLE1(id, f_name) VALUES (?, ?)'); $qry->execute(array($a_id, $f_name));
Cross Site Scripting and is injecting a website with malicious html elements. This can be prevented by setting a proper charset (like utf8) and htmlentities when displaying it.
You want to keep original data in your database, just in case. If you would ever change anti-XSS tactics you can do that all at once, because the data is not already prepared.
I think you mean anti
sql-injection. Prepared statements do that themselfs (if defined proper charset like utf8), no need to worry about that. You can do some checks beforehand though, like checking if $_POST['int'] really only has int values (as example).