Helpful Information
 
 
Category: vBulletin 3 Articles
Easily prevent HTML injection

To easily prevent HTML injection from HTML that happens to be in the results of a database query, do this:

while ($bits = $DB_site->fetch_array($result))
{
foreach ($bits as $key => $value) $bits[$key] = htmlspecialchars($value);
.
.
.
}

That goes through every single element from the fetch_array method and converts all HTML junk to their entities. Then, when you use "$bits[something]" in a template, the user won't be able to inject HTML at all.

This protects if the data is already in the database.... what should check for when inserting data? Or is that in an FAQ that I haven't found yet?










privacy (GDPR)