2

im making a website that is using the Steam API. At my website you can enter a specific users steam name, then you will see the data about the player. Now the problem is that if a a user has a name like this:

<script> alert("test!"); </script>

If this occurs, my website will execute this code. How can i escape code from the API's output? Is there a PHP function to do this? How can I fix this problem?

j08691
  • 197,815
  • 30
  • 248
  • 265
Luuk Kenselaar
  • 143
  • 1
  • 6

1 Answers1

1

http://php.net/manual/en/function.htmlspecialchars.php

htmlspecialchars (PHP 4, PHP 5, PHP 7)

htmlspecialchars — Convert special characters to HTML entities

or

http://php.net/manual/en/function.htmlentities.php

htmlentities (PHP 4, PHP 5, PHP 7)

htmlentities — Convert all applicable characters to HTML entities

dmgig
  • 4,195
  • 4
  • 32
  • 45
  • 1
    There are probably more sophisticated ways to do it as well, I'd definitely look at the question linked to as a duplicate. Props to you for even considering this possibility - very wise. – dmgig May 23 '18 at 22:13