ajax php using htmlentities() on a commenting system using php and ajax (jquery)

[Xander S.]

hi everyone,

i am basically new to this forum so i didn't really know where to post this question, basically what happened i made a site.

 

on this site is a particular commenting system where i used php ajax on the jquery way, my teacher saw my website and wanted to test something so he left a comment with <b>exampe</b> and his comment turned out to be bold text. to me and the safety of my site it is a dangerous thing as peope are required to leave their email in the form (not shown in actual comment but saved in the db) he also said that with his knowlege he could use <script>alert(document.cookie)</script> to make me use his cookie to log in to phpmyadmin, esentially granting him acces to all my databases.

 

now is my question "how can i use htmlentities() on ajax?" 

 

he suggested "$comment = htmlentities( $_POST['comment'] );"but since all of my fields are written like this: 

$commentId = isset($_POST['comment_id']) ? $_POST['comment_id'] : "";
$comment = isset($_POST['comment']) ? $_POST['comment'] : "";
$commentSenderName = isset($_POST['name']) ? $_POST['name'] : "";
$date = date('Y-m-d H:i:s');

 

there is no way i can figure out where to put it...

 

these are my php files, take a loo if you wish, but i removed my db.php database password and replaced my database name in the form (for security reasons) (you may lso see comments.php as index.php since i already had index so i renamed it to something else

comment-add.php comment-list.php comments.php comment-add.php comment-list.php comments.php db.php

[ckrudelux]

You should use htmlentities before displaying it on the page, not before you add it to the database. The database needs escaping so it won't interfer with your query.