On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
> On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:
>> It is NOT safe from, say, XSS attack if $evilString contains an XSS
>> snippet and you re-display it on your site.
>>
>> In other words, you should still filter the INPUT somewhere; But you
>> are escaping the output to MySQL so that it is not going to execute
>> arbitrary SQL on your DB server.
>
> After I pull the info out of the database, before it goes to the
> webbrowser, it goes through this:
>
> function clean_html ($dirty) {
> $dirty=strip_tags($dirty);
The strip_tags should probably have been done before it ever went into
the database, as part of INPUT FILTERING rather than escaping
output...
> $clean=htmlentities($dirty);
> return $clean;
> }
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> ×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×?-×
-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
