XSS from the url
Posted: Tue Nov 15, 2011 3:27 am
I did a test on an existing website with the following code for a query string page.php?id=Value<script type="text/javascript">alert('XSS')</script>. Not suprisingly it displays the alert. However, in the php code, i have the following
Yet even with this, the alert message is still displayed when i load the page.
What am i missing?
Code: Select all
<?php
$value = $_GET['id'];
// before i use it in the query
$cleanValue = trim(htmlentities($value, ENT_QUOTES));
?>What am i missing?