At 1:06 PM +0000 5/23/11, Ford, Mike wrote:
(Incidentally, tedd, your test script has the < > signs the wrong way
round in the output; plus which they should be < > anyway; plus
plus which, you are not applying htmlspecialchars() or whatever to
your echoed user input, so values such as
"><!--"
break your page, and I'm sure something more malicious could be cooked
up were I so inclined... :( .)
Mike
Mike:
Thanks.
The "which way the arrows point" thing is because I'm dyslexic. While
I know that "a" appears before "b", it's difficult for me to think of
'a' being less than 'b' -- UNLESS -- I think in terms of their ASCII
values and then everything makes sense -- but that's a step away from
deciding < or >. IOW, it's a two step process for me to realize which
way the arrows point.
As for the htmlspecialchars(), you are absolutely right. The demo was
for my students and I didn't want to confuse them. However, I have
changed the code to htmlentities(). They probably should start
learning basic security from the get-go (as should I).
Cheers,
tedd
--
-------
http://sperling.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
