> -----Original Message-----
> From: tedd [mailto:tedd.sperl...@gmail.com]
> Sent: Thursday, June 11, 2009 9:28 AM
> To: PHP-General List
> Subject: Re: [PHP] Preventing XSS Attacks
> At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
> >So something like this would be acceptable?:
> >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:'';
> >$searchTerms = htmlentities($searchTerms);
> >$dbSearchTerms = mysql_real_escape_string($searchTerms);
> >Giving me two variables, one for display output to user, the other for
> >use in the database?
> I wouldn't use $_REQUEST. If you know the request method then use it.
> There can be problems using $_REQUEST.
> http://sperling.com http://ancientstones.com http://earthstones.com
I agree with tedd whole heartedly and I want to repeat the importance of
protecting the data coming back from the db as well by using
safeEscapeString in your queries and again the reason for this is to prevent
malicious code from being executed.
As far as CSRF/XSRF take a read here
[Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php