strip_tags should prevent a kind of explotation, but maybe its behavior is not exactly what you want...
see also htmlentities (http://www.php.net/htmlentities)
you need to ask yourself how the environment that you are using will interpret things
if you are sending "SELECT ... FROM ... WHERE field1='". $_POST['field1'] ."'", if $_POST['field1'] is:
0' OR field2=0 AND ''='
the resulting string would be: SELECT ... FROM ... WHERE field1='0' OR field2=0 AND ''=''
and you probably dont want people making queries as they like hehe
dont let ppl upload files and save them as .php or any other extension that would trigger a special behavior on the server that they shouldnt be able to
remember you can never trust input data...
[EMAIL PROTECTED] wrote:
Is the general wisdom that using strip_tags on input is sufficient to protect against XSS vulnerabilities from that input? I have been doing some reading on it but haven't found anything that suggests a vulnerability that removing the tags in this way would not cure.
Are there multi-level encodings that can get past strip_tags?
I probably should also be doing a urldecode before strip_tags to get around any hex encodings, or does strip_tags handle that?
Thanks for any info,
-- Tom
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
