Jump to content

using htmlentities() on a commenting system using php and ajax (jquery)


Xander S.
 Share

Recommended Posts

hi everyone,

i am basically new to this forum so i didn't really know where to post this question, basically what happened i made a site.

 

on this site is a particular commenting system where i used php ajax on the jquery way, my teacher saw my website and wanted to test something so he left a comment with <b>exampe</b> and his comment turned out to be bold text. to me and the safety of my site it is a dangerous thing as peope are required to leave their email in the form (not shown in actual comment but saved in the db) he also said that with his knowlege he could use <script>alert(document.cookie)</script> to make me use his cookie to log in to phpmyadmin, esentially granting him acces to all my databases.

 

now is my question "how can i use htmlentities() on ajax?" 

 

he suggested "$comment = htmlentities( $_POST['comment'] );"but since all of my fields are written like this: 

$commentId = isset($_POST['comment_id']) ? $_POST['comment_id'] : "";
$comment = isset($_POST['comment']) ? $_POST['comment'] : "";
$commentSenderName = isset($_POST['name']) ? $_POST['name'] : "";
$date = date('Y-m-d H:i:s');

 

there is no way i can figure out where to put it...

 

these are my php files, take a loo if you wish, but i removed my db.php database password and replaced my database name in the form (for security reasons) (you may lso see comments.php as index.php since i already had index so i renamed it to something else

comment-add.php comment-list.php comments.php comment-add.php comment-list.php comments.php db.php

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...