Richard Lynch wrote:
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going to execute
arbitrary SQL on your DB server.
After I pull the info out of the database, before it goes to the
webbrowser, it goes through this:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
The strip_tags should probably have been done before it ever went into
the database, as part of INPUT FILTERING rather than escaping
output...
That should be considered part of the DRY method. But spanning page
requests.
I cannot see any reason why you shouldn't be doing this before you
insert this information into your DB. Doing it once on your insert,
instead of every single page request would seen to me a much better use
of resources.
If you are needing to have the tags in the DB, what I would do is have
add second column in your DB. One that contains the clean version and
one that contains the marked up version. Then you are not doing so much
work on each page load, and you are able to retain the marked up version
for editing ( i assume )
$clean=htmlentities($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
×-ב-×’-ד-×”-ו-×–-×—-ט-×™-ך-×›-ל-×-מ-ן-×
-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php