Nice work chris, you have left precious little for the others to comment
on :-)
10. Use htmlentities() on data that will be put through a SQL query to
prevent XSS attacks. http://php.net/htmlentities
This is a nice suggestion. While htmlentities() cannot be guaranteed to
defend against all XSS vulnerabilities, I would bet that most XSS
vulnerabilities are due to a complete lack of filtering logic. If a
developer doesn't even bother using htmlentities(), neglect is the best
word to describe his/her approach to developing.
In some cases, the developer may want certain HTML elements interpreted
rather than escaped in this way. Perhaps you could mention that something
like str_replace() can be used to convert specific HTML entities back to
their original form. This method should filter any unwanted elements.
but i would still like to add 2c by saying there is also the option of
strip_tags which does a more drastic sanitization by removing anything
that smells of html.
--
Raditha Dissanayake.
------------------------------------------------------------------------
http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 150 KB | with progress bar.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
