Re: Re: XSS Preventing.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you use htmlentities after each query you can found problems like this:

My name is Martín.


Also the data is stored for be used in a html environment.
what happen if you need the data for other purposes?

On Tue, Jun 23, 2009 at 11:42 AM, Caner Bulut <canerblt@xxxxxxxxx> wrote:

> I have read somethings about these issues. And i understand that If you use
> htmlentities() BEFORE insertion, when querying DB from XML, PDF or other
> data format, there will be some problems.
>
> I have some PHP books, the author codding like Martin Zvarík's way. If you
> have any pros and cons please share us.
>
> Thanks.
>
> 2009/6/23 Martin Zvarík <mzvarik@xxxxxxxxx>
>
> >
> >> Don't htmlentiies() before DB save.  In general:
> >>
> >> - mysql_real_escape_string() before DB insertion
> >>
> >> - htmlentities() before dispaly
> >>
> >>
> >
> > I, on the other hand, would do htmlentities() BEFORE insertion.
> >
> >
> > Pros:
> > ---
> > The text is processed once and doesn't have to be htmlentitied()
> everytime
> > you read the database - what a stupid waste of performance anyway.
> >
> >
> > Cons:
> > ---
> > Instead "&" you'll see "&amp;" ... is that a problem? Not for me and I
> > believe 80% of others who use DB to store & view on web.
> >
> >
> >
> > Martin
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>



-- 
Martin Scotta

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux