master82 Posted June 6, 2007 Share Posted June 6, 2007 Just a quick question... If I use htmlspecialchars on a user text input before storing into a database, then when showing the data in an output use htmlspecialchars_decode before displaying, would that allow potentially harmful code to be run? (ie is it only a good way to store the data not display it?) Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/ Share on other sites More sharing options...
per1os Posted June 6, 2007 Share Posted June 6, 2007 What type of potentially harmful code are you trying to prevent? SQL Injection, XSS Exploits ??? If you are only worried about sql injection www.php.net/mysql_real_escape_string works. If you are worried about XSS, I am sure it will, if you have not done so try storing this and dispalying it on the page: $xss = "<script>alert('XSStest');</script>"; If you can see the alert display on the page, than it is not preventing any type of XSS exploit. Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/#findComment-269532 Share on other sites More sharing options...
master82 Posted June 6, 2007 Author Share Posted June 6, 2007 Thanks, I dont know any JS so didnt know how to test these things... Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/#findComment-269543 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.