Caner BULUT wrote: > Thanks for response. > > But if I use before display there is charset problems occurs. And > htmlentities does not support Turkish Charset. How can I decode data after > pass thought htmlentities. I have no idea, I was just saying that if you use it, use it for display and not for storage. If you only use it for display, then you don't need to decode it. Also, what do you mean it doesn't support the Turkish charset? Does it mangle some of the chars? You are using it so that you don't get markup <script ....> etc. in your output, so does it do something bad with the Turkish chars?. Maybe try htmlspecialchars() as it only converts a few specific chars. > > Thanks. > > -----Original Message----- > From: Shawn McKenzie [mailto:nospam@xxxxxxxxxxxxx] > Sent: 22 June 2009 23:27 > To: php-general@xxxxxxxxxxxxx > Subject: Re: XSS Preventing. > > Caner BULUT wrote: >> Hi Guys, >> >> >> >> I have a question if you have any knowledge about this please let me know. >> >> >> >> I getting data from a form with POST method like following. >> >> >> >> $x = htmlentities($_POST['y']); >> >> . >> >> >> >> After getting all form daha I save them into DB, I used >> mysql_real_escape_string. >> >> >> >> I have an page which show the information that I have save into DB. But If > I >> don't use html_entity_decode, there will encodding and charset problems. I >> can't set htmlentities charset parameters because this function does not >> have Turkish Charset support. >> >> >> >> The question is that, after saving data into DB with using htmlentities, > in >> the information page if I use html_entity_decode function still there is > an >> XSS risk or not? . html_entity_decode function get back all risk again? >> >> >> >> Please help. >> >> >> >> Thanks. >> >> Caner. >> >> > > Don't htmlentiies() before DB save. In general: > > - mysql_real_escape_string() before DB insertion > > - htmlentities() before dispaly > -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
