For example I save two variables that I will call
$username
$password
First step: Add this before you are inserting this variable to a database or using any sql connections with it
Code: Select all
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si',
'@<[\/\!]*?[^<>]*?>@si',
'@<style[^>]*?>.*?</style>@siU',
'@<![\s\S]*?--[ \t\n\r]*>@'
);
$output = preg_replace($search, '', $input);
return $output;
}
After I added this only thing I need is to run my variable through this function:
Code: Select all
$var = trim(cleanInput(mysqli_real_escape_string($con,$var)));
Code: Select all
$username = trim(cleanInput(mysqli_real_escape_string($con,$username)));
$password = trim(cleanInput(mysqli_real_escape_string($con,$password)));
Sum:
Add this to your PHP code:
Code: Select all
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si',
'@<[\/\!]*?[^<>]*?>@si',
'@<style[^>]*?>.*?</style>@siU',
'@<![\s\S]*?--[ \t\n\r]*>@'
);
$output = preg_replace($search, '', $input);
return $output;
}
Code: Select all
$YOURVARIABLE = trim(cleanInput(mysqli_real_escape_string($con,$YOURVARIABLE)));
