PHP And PDO preventing Javascript injection

I have a site written in PHP utilizing PDO. I am using the bindParam() function to bind to a sql insert query:

("insert into Table (id, date, data) VALUES (?, ?, ?)")

but I am able to insert a string containing

"<script>window.location="google.com"</script>"

How to prevent this?

Tha开发者_如何学编程nks!!!

PDO is not going to stop you do that. You will need to yourself take care of the string:

1. If you do not want <script> tags at all, use strip_tags
2. If you want those tags but don't want them to execute, then use htmlentities

Assuming you mean

<script>window.location="google.com"</script>

You should worry about injection protection on row display, as you don't want to fill up the database with HTML entities.

Use htmlspecialchars()[1] on pages that display what's on the database.

[1] http://www.php.net/manual/en/function.htmlspecialchars.php