RE: Re: XSS Preventing.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for response. 

But if I use before display there is charset problems occurs. And
htmlentities does not support Turkish Charset. How can I decode data after
pass thought htmlentities.

Thanks.

-----Original Message-----
From: Shawn McKenzie [mailto:nospam@xxxxxxxxxxxxx] 
Sent: 22 June 2009 23:27
To: php-general@xxxxxxxxxxxxx
Subject:  Re: XSS Preventing.

Caner BULUT wrote:
> Hi Guys,
> 
>  
> 
> I have a question if you have any knowledge about this please let me know.
> 
>  
> 
> I getting data from a form with POST method like following.
> 
>  
> 
> $x = htmlentities($_POST['y']);
> 
> .
> 
>  
> 
> After getting all form daha I save them into DB, I used
> mysql_real_escape_string. 
> 
>  
> 
> I have an page which show the information that I have save into DB. But If
I
> don't use html_entity_decode, there will encodding and charset problems. I
> can't set htmlentities charset parameters because this function does not
> have Turkish Charset support.
> 
>  
> 
> The question is that, after saving data into DB with using htmlentities,
in
> the information page if I use html_entity_decode function still there is
an
> 
> XSS risk or not? . html_entity_decode function get back all risk again?
> 
>  
> 
> Please help.
> 
>  
> 
> Thanks.
> 
> Caner.
> 
> 

Don't htmlentiies() before DB save.  In general:

- mysql_real_escape_string() before DB insertion

- htmlentities() before dispaly

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux