[thelist] [Easy as Pie] Working with a Database

David Dorward david at dorward.me.uk
Fri Jan 18 17:09:31 CST 2008

On 18 Jan 2008, at 23:04, Jon Hughes wrote:
> I'm not seeing where I am vuln. To XSS, as I am using htmlentities on
> the output,

Not in every case that you output data entered by the user (and  
shouldn't you be using htmlspecialchars[1]?)

> but I did in fact forget to escape the input to the database
> - http://us.php.net/addslashes is the preferred method, right?

No, mysql_real_escape_string is (if you're working with MySQL at least).

(And that function name does a good job of summing up my number one  
gripe with PHP)

[1] Note that my PHP skills are decidedly rusty, you should probably  
check my suggestions of how to fix the holes in your code with a more  
reliable source.

David Dorward

More information about the thelist mailing list