Re: [PHP] XSS Preventing.
Michael, I can be useful for me. It seems there will be not ant charset problem occurs. Thanks for help. Caner. 2009/6/23 Michael A. Peters mpet...@mac.com Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. Don't try to home brew your own. You'll miss stuff. Use an input filter class that is developed by and tested by a large number of users. http://htmlpurifier.org/ is what I recommend. Also, with respect to mysql_real_escape - if you use prepared statements, escaping isn't an issue. Personally I recommend a database extraction later. Pear MDB2 is a good one. It makes your code portable to other databases as long as you stick to standard SQL (which usually is pretty easy to do).
[PHP] XSS Preventing.
Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. I have an page which show the information that I have save into DB. But If I don't use html_entity_decode, there will encodding and charset problems. I can't set htmlentities charset parameters because this function does not have Turkish Charset support. The question is that, after saving data into DB with using htmlentities, in the information page if I use html_entity_decode function still there is an XSS risk or not? . html_entity_decode function get back all risk again? Please help. Thanks. Caner.
Re: [PHP] XSS Preventing.
Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. Don't try to home brew your own. You'll miss stuff. Use an input filter class that is developed by and tested by a large number of users. http://htmlpurifier.org/ is what I recommend. Also, with respect to mysql_real_escape - if you use prepared statements, escaping isn't an issue. Personally I recommend a database extraction later. Pear MDB2 is a good one. It makes your code portable to other databases as long as you stick to standard SQL (which usually is pretty easy to do). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
