Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jan 24, 2008 1:03 PM, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:> On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:> > It is NOT safe from, say, XSS attack if $evilString contains an XSS> > snippet and you re-display it on your site.> >> > In other words, you should still filter the INPUT somewhere; But you> > are escaping the output to MySQL so that it is not going to execute> > arbitrary SQL on your DB server.>> After I pull the info out of the database, before it goes to the> webbrowser, it goes through this:>> function clean_html ($dirty) {>   $dirty=strip_tags($dirty);>   $clean=htmlentities($dirty);>   return $clean;> }>>> Dotan Cohen>> http://what-is-what.com> http://gibberish.co.il> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת>> A: Because it messes up the order in which people normally read text.> Q: Why is top-posting such a bad thing?>
That won't save you if you're echoing into a single quote attribute.(ie: src='')
Like htmlspecialchars(), the optional second quote_style parameterlets you define what will be done with 'single' and "double" quotes.It takes on one of three constants with the default being ENT_COMPAT:
ENT_COMPAT	Will convert double-quotes and leave single-quotes alone.

You might want to just use: htmlspecialchars($string, ENT_QUOTES);

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux