[thelist] [Easy as Pie] Working with a Database
David Dorward
david at dorward.me.uk
Fri Jan 18 17:09:31 CST 2008
On 18 Jan 2008, at 23:04, Jon Hughes wrote:
> I'm not seeing where I am vuln. To XSS, as I am using htmlentities on
> the output,
Not in every case that you output data entered by the user (and
shouldn't you be using htmlspecialchars[1]?)
> but I did in fact forget to escape the input to the database
> - http://us.php.net/addslashes is the preferred method, right?
No, mysql_real_escape_string is (if you're working with MySQL at least).
(And that function name does a good job of summing up my number one
gripe with PHP)
[1] Note that my PHP skills are decidedly rusty, you should probably
check my suggestions of how to fix the holes in your code with a more
reliable source.
--
David Dorward
http://dorward.me.uk/
http://blog.dorward.me.uk/
More information about the thelist
mailing list