PHP PDO: how to prevent javascript and html tags injection

I am using following script to update some data in MYSQL table, for that i am taking data from user. But it is not preventing from javascript and html tags.

$attri= //containing field name like ("name=?, email=?")
$value= //containing corresponding values like ("john", "email@exam.com")

$sql_pro = "UPDATE regist SET ".$attri." WHERE user_id = ".$_SESSION['user_id'];
        $stmt_pro = $db->prepare($sql_pro);
        $i=1;
        foreach($value as $k=>$v){
            $stmt_pro->bindValue($i,$v, PDO::PARAM_STR);
            $i++;
        }
        $stmt_pro->execute();
        if($stmt_pro){
            return true;
        }

How can i prevent from javascript and html tag injection?

Update Is there any good way to sanitize input field data before adding into database in PHP PDO.

I know how to do it with mysql_real_escape_string, htmlentities and strip_tags. thanks


You need proper form input validation and output escaping. Use htmlspecialchars() when you display your string.

As far as sanitizing input, strip_tags is the quck n' dirty way to do what you want but a much better practice is to make a list of characters that are allowed and use regex to validate.

if (preg_match('/[^a-zA-Z0-9_]/', $username)) {
    //Contains a character not in A-Z,0-9, or underscore
} else {
    //Username is fine
}
链接地址: http://www.djcxy.com/p/93760.html

上一篇: 用准备好的PDO语句解释消毒输入

下一篇: PHP PDO:如何防止javascript和html标签注入