Preventing Cross-Site Scripting (XSS) in PHP Using Data Filtering

In modern web environments, Cross-Site Scripting (XSS) has become one of the most common and dangerous security vulnerabilities. XSS exploits improper handling of user input, allowing attackers to inject malicious scripts and obtain sensitive information. This article introduces how to prevent XSS using PHP data filtering and provides example code.

Understanding the Principles of XSS Attacks

Before preventing XSS, we need to understand how attackers exploit the vulnerability. XSS is mainly divided into three types: Reflected, Stored, and DOM‑based, with Reflected and Stored being the most common. Attackers inject malicious scripts into user‑supplied data, which execute when the page is viewed.

Filtering Output with htmlspecialchars

In PHP, the htmlspecialchars function can be used to escape special characters into HTML entities, preventing malicious scripts from executing. The following example demonstrates its usage.

<code>$userInput = $_GET['input'];
$filteredOutput = htmlspecialchars($userInput);
echo $filteredOutput;
</code>

In this example, $_GET['input'] retrieves user input from a URL parameter, and htmlspecialchars escapes it before output, thereby blocking script injection.

Using mysqli or PDO Prepared Statements to Filter Database Queries

Stored XSS stores malicious code in the database; when the backend reads and outputs it, the code runs. Using mysqli or PDO prepared statements can filter input before it reaches the database.

Below is an example using mysqli prepared statements.

<code>$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("SELECT username FROM users WHERE id = ?");
$stmt->bind_param("i", $userId);
$stmt->execute();
$stmt->bind_result($username);
while ($stmt->fetch()) {
    echo htmlspecialchars($username);
}
$stmt->close();
$conn->close();
</code>

In this example, the user‑supplied $userId is bound to the query using bind_param , the result is bound with bind_result , and the output is escaped with htmlspecialchars to prevent script execution.

Filtering User Input with filter_var

PHP provides the filter_var function for filtering user input. It can be combined with predefined filters such as FILTER_SANITIZE_STRING to allow only basic string characters.

The following example shows how to use filter_var to sanitize input.

<code>$userInput = $_POST['input'];
$filteredInput = filter_var($userInput, FILTER_SANITIZE_STRING);
echo $filteredInput;
</code>

Here, filter_var removes special characters and HTML tags, helping to prevent XSS attacks.

By properly filtering and handling user‑supplied data with htmlspecialchars , prepared statements, and filter_var , developers can significantly improve website security and protect against XSS threats.