Preventing XSS Exploits

If you don’t know what XSS is, and you are a web developer. Well, it’s time to wake up. XSS or Cross Site Scripting is basically injecting code onto someone else’s website. By doing it, you can do all sorts of nasty stuff.

The good thing is, it’s pretty simple to prevent this in PHP:

$string = ereg_replace("[\'\")(;|`,<>]", "", $string);

This piece of code will take out the characters needed to do the XSS exploits. There are also some in there that are useful to clean user input before say adding a string to a database query. It’s necessary to clean EVERY variable inputted by the end user, even ones you don’t put into a database or output to the user. Some time down the road you might use it, and not realize you forgot to clean it first.