tibberous Posted September 11, 2008 Share Posted September 11, 2008 I finally said hell with it and just started to try and break my web app. I came up with this test: '"< \“smart quotes” >"' '"< \“smart quotes” >"' '"< \“smart quotes” >"' If my app could pass that through all it's fields, it was secure. The problem is that it blew it up. Alot. So, I came up with the idea of keeping the data unescaped in the database, and to use escape functions to display the data based on the context I was using it. So, it was in an xml file, I'd go x($username), but if it was in a line of javascript code, I'd use e($username). And d was for the database, and h was for html. I've used a ton of different methods, but this seems to be the cleanest way I've found. The functions themselves are simple too: function x($input){ $input = str_replace(array('"', "'", "<", ">", "\r\n", "\n", chr(145), chr(146), chr(147), chr(148), chr(151)), array(""", "'", "<", ">", "\r", "\n", "'", "'", '"', '"', '-'), $input); return trim($input); } How would you guys recommend to consistently escape data? Link to comment https://forums.phpfreaks.com/topic/123723-escaping-data/ Share on other sites More sharing options...
genericnumber1 Posted September 11, 2008 Share Posted September 11, 2008 To escape quotes? mysql_real_escape_string() To escape html? htmlentities() or htmlspecialchars() -- These two do what your function you posted does.. no need to rewrite somethign else that's already been done. Link to comment https://forums.phpfreaks.com/topic/123723-escaping-data/#findComment-638895 Share on other sites More sharing options...
GingerRobot Posted September 11, 2008 Share Posted September 11, 2008 I came up with the idea of keeping the data unescaped in the database And what about SQL injection? Link to comment https://forums.phpfreaks.com/topic/123723-escaping-data/#findComment-638954 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.