How to Secure PHP Program from Cross-Side Scripting Attack 

Well in this article you will learn how you can secure PHP program from cross-site scripting attack.  in the previous video, we talked about the categories of attack. There are four type of major attacks listed in the previous article if you didn’t read that then check out this article first. Click on this link before moving to this article.

In this article, we talk about the major and very important cross-site scripting attack. Attacker formally uses input text boxes or input fields to enter the malicious code. The malicious code it means the JavaScript code that runs on your browser maybe still your data or destroys your complete application.

so this article will take a look at the cross-site scripting attack and show you how you can secure your PHP data from this attack.

So let’s get started.

The first thing you need to care about is sanitizing your data. Just like sanitizing your home protect you from the viruses and bugs. So what is the meaning of sanitizing here?  Sanitizing is the pure filter of your input data to protect from the malicious JavaScript code. using sanitizing we will remove HTML bracket that causes to Trigger the action to the client Browser.

So let’s see how to secure your PHP program from Cross-site scripting attack.

There are two functions that help you to sanitize your data.

  • htmlspecialchars()
  • filter_var()

Now take a look at this to function closely. We will also show you how to employ these functions in your PHP program and prevent attackers to Inject any malicious code.


Using htmlspecialchars()

The htmlspecialchars() function detects the HTML tag and converts the greater than and less than Symbols > and  <  So this will doesn’t remove the data instead it takes that data as an ordinary text and displays it on the browser.

This function will encode the following characters.

  • Double Quote( “ )
  • Ampersand(&)
  • Single Quote( ‘ )
  • Greater Than ( > )
  • Less Than ( < )

Now let’s take a look how you can employ this function in your concrete PHP program.

So whenever you need to get some data from the post method you can employ this method and specify the post data as an argument.  this function will take the data process it and convert all the HTML characters which we list out before.

In the previous article, we had shown you how you can create a basic cross-site scripting attack.  so in the xsstest.php file pass all the post method in this htmlspecialchars() function and see what happened.

Using filter_var()

Now take a look at the filter_var() function. Sometimes if you need to validate your email address you always use a regular expression to validate that.  But the most straightforward method is to use filter_var() function to secure PHP code. This function helps you to validate your data and return the Boolean value as a response. Now you just take a look at some of the parameters of this function.


Above we listed some of the parameters of this function.  now let me explain to you what is the use of this parameter. The filter_var()  function takes the first argument is the string data, and the second argument is the validate format of your string. In the second argument, you can choose any parameter listed above in the article.

The FILTER_VALIDATE_EMAIL argument check that the string is the valid format of email or not.  if it is then this function return true otherwise return false. To check different variables and strings this method is really very helpful.

The filter validates IP argument validate the IP address and return true if it is valid otherwise return false.

I hope you understand the remaining arguments and what they do. Now, will take a look at how you can employ that in your PHP program. take a simple example.  suppose if you wanted to check the input string is valid email or not then you can do that simply.

Well, this function explains you everything about the filter_var() function.  in this code, we just check if the string provided in the email variable is the valid email or not.  if it is then in the console we will print this is the valid email address. and if it is not the valid format of email we print this is invalid email format please enter again on console.

Now I think you learn the basic of secure PHP program from the cross-site scripting attack.  there is many more method that you can find in the PHP language. we listed a few ones here because explaining all these languages is beyond the article.

I hope you learn something from this article.

That is all, for now, to know about PHP program to learn about PHP and to learn more about this language stay tuned.