> -----Original Message----- > From: tedd [mailto:tedd.sperling@xxxxxxxxx] > Sent: Thursday, June 11, 2009 9:28 AM > To: PHP-General List > Subject: Re: Preventing XSS Attacks > > At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: > > > >So something like this would be acceptable?: > > > >$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; > >$searchTerms = htmlentities($searchTerms); > >$dbSearchTerms = mysql_real_escape_string($searchTerms); > > > >Giving me two variables, one for display output to user, the other for > >use in the database? > > > >Thanks > >Ash > > Ash: > > I wouldn't use $_REQUEST. If you know the request method then use it. > > There can be problems using $_REQUEST. > > Cheers, > > tedd > > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > I agree with tedd whole heartedly and I want to repeat the importance of protecting the data coming back from the db as well by using safeEscapeString in your queries and again the reason for this is to prevent malicious code from being executed. As far as CSRF/XSRF take a read here http://shiflett.org/articles/cross-site-request-forgeries [Marc Hall - HallMarc Websites - http://www.hallmarcwebsites.com 610.446.3346] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
