[thelist] Pass vars to HTML in PHP

Christian Heilmann codepo8 at gmail.com
Mon Apr 10 04:33:06 CDT 2006

> >     <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> > $_GET['color']); ?>">
> > This will give you the default color of #339933, unless there is a
> > query string variable named 'color':
> This is a tad risky as it exposes the page to XSS attacks, though, don't
> you think?
> I've been looking at resources like this [1] for help on such things.
> Perhaps something like this on the value returned from the $_GET would
> be safer?
> htmlentities($_GET['color']);
> Is there accepted best practice for this? What do others do?

I tend to do a strip_tags on the value, or in a case like this I
really test if the value is a valid hex number and not anything else.


Chris Heilmann
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
Binaries: http://www.onlinetools.org/

More information about the thelist mailing list