Thanks for response. But if I use before display there is charset problems occurs. And htmlentities does not support Turkish Charset. How can I decode data after pass thought htmlentities. Thanks. -----Original Message----- From: Shawn McKenzie [mailto:nospam@xxxxxxxxxxxxx] Sent: 22 June 2009 23:27 To: php-general@xxxxxxxxxxxxx Subject: Re: XSS Preventing. Caner BULUT wrote: > Hi Guys, > > > > I have a question if you have any knowledge about this please let me know. > > > > I getting data from a form with POST method like following. > > > > $x = htmlentities($_POST['y']); > > . > > > > After getting all form daha I save them into DB, I used > mysql_real_escape_string. > > > > I have an page which show the information that I have save into DB. But If I > don't use html_entity_decode, there will encodding and charset problems. I > can't set htmlentities charset parameters because this function does not > have Turkish Charset support. > > > > The question is that, after saving data into DB with using htmlentities, in > the information page if I use html_entity_decode function still there is an > > XSS risk or not? . html_entity_decode function get back all risk again? > > > > Please help. > > > > Thanks. > > Caner. > > Don't htmlentiies() before DB save. In general: - mysql_real_escape_string() before DB insertion - htmlentities() before dispaly -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
