tibberous Posted September 11, 2008 Share Posted September 11, 2008 I finally said hell with it and just started to try and break my web app. I came up with this test: '"< \“smart quotes” >"' '"< \“smart quotes” >"' '"< \“smart quotes” >"' If my app could pass that through all it's fields, it was secure. The problem is that it blew it up. Alot. So, I came up with the idea of keeping the data unescaped in the database, and to use escape functions to display the data based on the context I was using it. So, it was in an xml file, I'd go x($username), but if it was in a line of javascript code, I'd use e($username). And d was for the database, and h was for html. I've used a ton of different methods, but this seems to be the cleanest way I've found. The functions themselves are simple too: function x($input){ $input = str_replace(array('"', "'", "<", ">", "\r\n", "\n", chr(145), chr(146), chr(147), chr(148), chr(151)), array(""", "'", "<", ">", "\r", "\n", "'", "'", '"', '"', '-'), $input); return trim($input); } How would you guys recommend to consistently escape data? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted September 11, 2008 Share Posted September 11, 2008 To escape quotes? mysql_real_escape_string() To escape html? htmlentities() or htmlspecialchars() -- These two do what your function you posted does.. no need to rewrite somethign else that's already been done. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted September 11, 2008 Share Posted September 11, 2008 I came up with the idea of keeping the data unescaped in the database And what about SQL injection? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.