Home > Software design >  Prevent HTML to be displayed from $_GET method
Prevent HTML to be displayed from $_GET method

Time:04-11

I'm currently working on a user management system. I have the register and sign-in page among other sites, that all use the $_GET function. After experimenting around a bit I noticed that you can print HTML code from the GET parameters when you exactly know what you are doing. There is probably a way to exploit this by using the one rror in an img tag e.g.
How can I prevent this from happening?

The URL: users.php?s=login&mail="> <img src='../images/notification_bell.png' width='25px'>
What it displays: enter image description here And my code:

print ' <form action="' .$url. '" method="post">
                <input type="hidden" name="a" value="login"/>
    
                <b><label for="mail">E-Mail:</label></b>
                <input type="email" id="mail" name="mail" maxlength="50" value="' .$mail. '" required><br><br>

How can I prevent this from happening?

CodePudding user response:

use htmlspecialchars to convert user-defined characters into web-safe code. https://www.php.net/htmlspecialchars

also, maybe you could use filter_var to validate the email and simply unset it if it's invalid. https://www.php.net/filter_var

Page link:https//www.codepudding.com/Softwaredesign/367739.html

Prev:strftime() in PHP8.1
Next:Woocommerce - How to edit layout of orders table (orders.php)
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding