TalkPHP
Home Forums Articles Glossary Awards Register Rules Members Search Today's Posts Mark Forums Read
 
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
by awuehr on 11-10-2008 in Tips & Tricks
» Vulnerable methods and the areas they are commonly trusted in.
by Village Idiot on 11-04-2008 in Classes & Objects
» Simple way to protect a form from bot
by codefreek on 10-23-2008 in Basic
» The Basics On: How Session Stealing Works
by wiifanatic on 09-12-2008 in Security & Permissions
» How to keep your forms from double posting data
by drewbee on 07-03-2008 in Tips & Tricks
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
TalkPHP > Developer Forums > Advanced PHP Programming » Convert Data output
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 02-08-2009, 06:56 AM   #1 (permalink)
The Contributor
 
Sakakuchi's Avatar
 
Join Date: Feb 2009
Posts: 64
Thanks: 1
Sakakuchi is on a distinguished road
Help Convert Data output
Hi!

Let's pretend I take Userdata, and save it in a file or database (like a forum or shoubox).
How could I secure the script so that users can enter stuff like "<script>*</script>" and stuff, so that the browser displays it and does not run the script. I always used to use strip_tags to secure my scripts, but it removes the code and does not convert it in something that the browser displays.

Same with "<?php ?>" and similar (binary safe). I guess there needs something to be like an encoding?

Thx for your time reading this post

Greetz
Sakakuchi
Sakakuchi is offline   		Reply With Quote
Old 02-08-2009, 10:26 AM   #2 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 1,393
Thanks: 5
Salathe is on a distinguished road
Default
If you're outputting HTML, use htmlspecialchars() to encode ampersands (&), angled brackets (<>) and (optionally) single/double (' ") quotation marks.
Salathe is offline   		Reply With Quote
Old 02-08-2009, 02:26 PM   #3 (permalink)
The Contributor
 
Sakakuchi's Avatar
 
Join Date: Feb 2009
Posts: 64
Thanks: 1
Sakakuchi is on a distinguished road
Default
Thx for the answer, will read up on htmlspecialchars().
Sakakuchi is offline   		Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
SQL Injection and mysql_real_escape_string Durux General 61 01-29-2013 12:20 PM
Venerable methods and the applications they are commonly trusted in. Village Idiot Tips & Tricks 7 11-06-2008 07:36 AM
Creating a table from loaded data benton General 5 04-20-2008 11:48 AM
The act of sharing your data Wildhoney General 0 12-06-2007 03:31 PM
Tips: PHP security Village Idiot Tips & Tricks 22 11-23-2007 11:17 PM


All times are GMT. The time now is 08:27 PM.

 
     
Contact Us - TalkPHP - PHP Community - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design