Re: [PHP] XSS Preventing.

2009-06-23 Thread Caner Bulut 
Michael,

I can be useful for me. It seems there will be not ant charset problem
occurs.

Thanks for help.
Caner.


2009/6/23 Michael A. Peters mpet...@mac.com

 Caner BULUT wrote:

 Hi Guys,


 I have a question if you have any knowledge about this please let me know.


 I getting data from a form with POST method like following.


 $x = htmlentities($_POST['y']);

 .


 After getting all form daha I save them into DB, I used
 mysql_real_escape_string.


 Don't try to home brew your own.
 You'll miss stuff.

 Use an input filter class that is developed by and tested by a large number
 of users.

 http://htmlpurifier.org/

 is what I recommend.

 Also, with respect to mysql_real_escape - if you use prepared statements,
 escaping isn't an issue.

 Personally I recommend a database extraction later.
 Pear MDB2 is a good one.
 It makes your code portable to other databases as long as you stick to
 standard SQL (which usually is pretty easy to do).

Re: [PHP] XSS Preventing.

2009-06-22 Thread Michael A. Peters 

Caner BULUT wrote:

Hi Guys,

 


I have a question if you have any knowledge about this please let me know.

 


I getting data from a form with POST method like following.

 


$x = htmlentities($_POST['y']);

.

 


After getting all form daha I save them into DB, I used
mysql_real_escape_string. 


Don't try to home brew your own.
You'll miss stuff.

Use an input filter class that is developed by and tested by a large 
number of users.


http://htmlpurifier.org/

is what I recommend.

Also, with respect to mysql_real_escape - if you use prepared 
statements, escaping isn't an issue.


Personally I recommend a database extraction later.
Pear MDB2 is a good one.
It makes your code portable to other databases as long as you stick to 
standard SQL (which usually is pretty easy to do).


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php