master82 Posted June 6, 2007 Share Posted June 6, 2007 Just a quick question... If I use htmlspecialchars on a user text input before storing into a database, then when showing the data in an output use htmlspecialchars_decode before displaying, would that allow potentially harmful code to be run? (ie is it only a good way to store the data not display it?) Quote Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/ Share on other sites More sharing options...
per1os Posted June 6, 2007 Share Posted June 6, 2007 What type of potentially harmful code are you trying to prevent? SQL Injection, XSS Exploits ??? If you are only worried about sql injection www.php.net/mysql_real_escape_string works. If you are worried about XSS, I am sure it will, if you have not done so try storing this and dispalying it on the page: $xss = "<script>alert('XSStest');</script>"; If you can see the alert display on the page, than it is not preventing any type of XSS exploit. Quote Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/#findComment-269532 Share on other sites More sharing options...
master82 Posted June 6, 2007 Author Share Posted June 6, 2007 Thanks, I dont know any JS so didnt know how to test these things... Quote Link to comment https://forums.phpfreaks.com/topic/54495-htmlspecialchars-and-htmlspecialchars_decode/#findComment-269543 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.