On Jan 24, 2008 1:03 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > It is NOT safe from, say, XSS attack if $evilString contains an XSS
> > snippet and you re-display it on your site.
> >
> > In other words, you should still filter the INPUT somewhere; But you
> > are escaping the output to MySQL so that it is not going to execute
> > arbitrary SQL on your DB server.
>
> After I pull the info out of the database, before it goes to the
> webbrowser, it goes through this:
>
> function clean_html ($dirty) {
> $dirty=strip_tags($dirty);
> $clean=htmlentities($dirty);
> return $clean;
> }
>
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
That won't save you if you're echoing into a single quote attribute.
(ie: src='')
Like htmlspecialchars(), the optional second quote_style parameter
lets you define what will be done with 'single' and "double" quotes.
It takes on one of three constants with the default being ENT_COMPAT:
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
You might want to just use: htmlspecialchars($string, ENT_QUOTES);
