Jump to content
Sign in to follow this  
Xander S.

using htmlentities() on a commenting system using php and ajax (jquery)

Recommended Posts

hi everyone,

i am basically new to this forum so i didn't really know where to post this question, basically what happened i made a site.


on this site is a particular commenting system where i used php ajax on the jquery way, my teacher saw my website and wanted to test something so he left a comment with <b>exampe</b> and his comment turned out to be bold text. to me and the safety of my site it is a dangerous thing as peope are required to leave their email in the form (not shown in actual comment but saved in the db) he also said that with his knowlege he could use <script>alert(document.cookie)</script> to make me use his cookie to log in to phpmyadmin, esentially granting him acces to all my databases.


now is my question "how can i use htmlentities() on ajax?" 


he suggested "$comment = htmlentities( $_POST['comment'] );"but since all of my fields are written like this: 

$commentId = isset($_POST['comment_id']) ? $_POST['comment_id'] : "";
$comment = isset($_POST['comment']) ? $_POST['comment'] : "";
$commentSenderName = isset($_POST['name']) ? $_POST['name'] : "";
$date = date('Y-m-d H:i:s');


there is no way i can figure out where to put it...


these are my php files, take a loo if you wish, but i removed my db.php database password and replaced my database name in the form (for security reasons) (you may lso see comments.php as index.php since i already had index so i renamed it to something else

comment-add.php comment-list.php comments.php comment-add.php comment-list.php comments.php db.php

Share this post

Link to post
Share on other sites

You should use htmlentities before displaying it on the page, not before you add it to the database. The database needs escaping so it won't interfer with your query.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...