Jasper Bryant-Greene wrote:
Before outputting anything user-sourced to the browser,
htmlspecialchars() it, preferably with the ENT_QUOTES option. If you
want to allow some HTML, only then parse the string to un-escape
certain HTML tags.
Jasper++
Check the types if it's a problem for you (using PHP's many type
functions);
Checking data types can be very misleading. I've seen many examples
(even recently in a book) that use is_int() to check to see whether
something in $_GET or $_POST is an integer. Because everything in $_GET
and $_POST is a string, this check always fails.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
