Hi guys, I asked a friend to try and hack my site to see how safe it is. He hasn't been able to get to the database or do any serious damage but he has used JS Injection to block my strip_tags(); function.

I would like to know how to stop that. He somehow got through and used the marquee tag. The thing is I only see one marquee tag but he somehow got it to work.

8 Years
Discussion Span
Last Post by Frement

I am not allowing any tags with strip_tags, and I will try the htmlspecialchars also.

And... can preg_replace help? Replace any "</>" tags? If so can someone show a quick usage as I am not familiar with it.


Simply remove all < and > characters, htmlspecialchars should do this though:

str_replace(array("<", ">"), array("&lt;", "&gt;"), $string)

Yes, htmlspecialchars should do the job. Also you should not allow some other characters either, like * ' " etc... I'm not sure if the specialchars replaces those. But it should remove all kind of coding.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.