Prevent XSS Attacks. Escape Strings in PHP

Here’s how to prevent XSS attacks by escaping output in PHP:

[evd_youtube video_id=”pc0V9hJpE54″ playlist_id=”PLrG78JjvL7hWah18gU57tCtbFOvsxl9pp”]

Here’s the code I used in the video:

https://gist.github.com/03bd85c3f9354dc07327

What Is XSS?

XSS stands for cross-site scripting and it refers to a type of attack where a hacker injects malicious client-side code into the output of your page.

Applications that don’t escape their output are vulnerable to this type of attack.

XSS Example

A simple example is a blog comment. If not properly escaped, an attacker could enter (for example) JavaScript code into the blog comment.

That code would be stored in the database, output to the page when loaded, and because it’s not escaped… render and run.

Thus, the attacker would have the full range of JavaScript capabilities to attack you and your site visitors.

How to Prevent XSS Attacks

As illustrated in the video above, you prevent XSS attacks by escaping your output using htmlspecialchars() or htmlentities().

Both PHP functions convert problematic characters into HTML entities causing the injected code to be output harmlessly and not rendered.

htmlentities vs htmlspecialchars

Both will prevent XSS attacks. The difference is in the characters each encodes. htmlentities will encode ANY character that has an HTML entity equivalent.

htmlspecialchars ONLY encodes a small set of the most problematic characters.

It’s generally recommended to use htmlspecialchars because htmlentities can cause display problems with your text depending on what characters are being output.

Think of htmlspecialchars as a scalpel and htmlentities as a hammer. Both can solve the problem… one is just a little more precise.

If you get value from this code snippet, please consider sharing it with another developer or group who could benefit from it.

Do you want more freelance clients?

I’ll show you what I learned over the last 15 years to grind out (from absolute scratch) a backlog of new clients wanting to hire you. Who your best client prospect are, what services you should be offering them, where to find them and more. Just enter your email address in the box below and let’s get started:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on pinterest
Pinterest
John Morris

JOHN MORRIS

I’m a 15-year veteran of freelance web development. I’ve worked with bestselling authors and average Joe’s next door. These days, I focus on helping other freelancers build their freelance business and their lifestyles.

You might also like

This Post Has One Comment

  1. Hey John, what’s up? That’s awesome…I was just casually googling whether to use htmlspecialchars() or htmlentities(), and your post appeared right at #1 above Stack Overflow and the “People also ask…” box! Congrats! Your SEO-fu has paid off well, it seems. =)

    Not sure you’d remember me, but I’m a Patreon supporter and have been a subscriber of yours for a few years now. We’ve exchanged a few emails and some messages on Udemy, and you’ve always been super-helpful and friendly, so hats off to you and your success! =)

    And, well, for what it’s worth, I’m going with the hammer this time. Lol!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Do you want more freelance clients?

Enter your email below to get started building your system for consistently bringing in new freelance clients:

WHAT OTHERS ARE SAYING

Bob Patterson

Not only is John a very talented programmer and developer, he is also an excellent communicator. He has a talent for taking complex subjects and communicating them in terms that anyone can understand. This is a rare combination. This ability has enabled me to take my skills and knowledge to the next level. Thank you John for for all that you do.

Sukh Plaha

John is a fantastic and patient tutor, who is not just able to share knowledge and communicate it very effectively – but able to support one in applying it. However, I believe that John has a very rare ability to go further than just imparting knowledge and showing one how to apply it. He is able to innately provoke one’s curiosity when explaining and demonstrating concepts, to the extent that one can explore and unravel their own learning journey. Thanks very much John!

Thabo Motsoahae

John is one of the best instructors I have come across, I learned a lot from his online tutorials.

Ray Edwards

I recommend John every chance I get. If every person I worked with were as committed to excellence, punctuality, value, and unquestionable integrity… the world would be a better place. Highest recommendation.

Daniel Mohlendick

On the Freelancing on Upwork course: “This is by far the best course i have watched on Skillshare!! Thank you so much.”

Lewis Howes

John is amazing at building membership sites. He converted one of my sites over from it’s existing (hardly working) platform over to the clean and simple to use WishList membership platform. I highly recommend using John and WishList for any of your membership site needs.

Close Menu