Re: [PHP] XSS Preventing.
Michael, I can be useful for me. It seems there will be not ant charset problem occurs. Thanks for help. Caner. 2009/6/23 Michael A. Peters mpet...@mac.com Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. Don't try to home brew your own. You'll miss stuff. Use an input filter class that is developed by and tested by a large number of users. http://htmlpurifier.org/ is what I recommend. Also, with respect to mysql_real_escape - if you use prepared statements, escaping isn't an issue. Personally I recommend a database extraction later. Pear MDB2 is a good one. It makes your code portable to other databases as long as you stick to standard SQL (which usually is pretty easy to do).
Re: [PHP] XSS Preventing.
Caner BULUT wrote: Hi Guys, I have a question if you have any knowledge about this please let me know. I getting data from a form with POST method like following. $x = htmlentities($_POST['y']); . After getting all form daha I save them into DB, I used mysql_real_escape_string. Don't try to home brew your own. You'll miss stuff. Use an input filter class that is developed by and tested by a large number of users. http://htmlpurifier.org/ is what I recommend. Also, with respect to mysql_real_escape - if you use prepared statements, escaping isn't an issue. Personally I recommend a database extraction later. Pear MDB2 is a good one. It makes your code portable to other databases as long as you stick to standard SQL (which usually is pretty easy to do). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php