Again, thank you for your comments, I sincerely appreciate the time you took to look over my code. I have a feeling my PHP skills are rusier than yours, but I know of no better place to ask for help than this very list, so if anyone is listening and knows a better way, please chime in! - Jon > -----Original Message----- > From: thelist-bounces at lists.evolt.org [mailto:thelist- > bounces at lists.evolt.org] On Behalf Of David Dorward > Sent: Friday, January 18, 2008 3:10 PM > To: thelist at lists.evolt.org > Subject: Re: [thelist] [Easy as Pie] Working with a Database > > > On 18 Jan 2008, at 23:04, Jon Hughes wrote: > > I'm not seeing where I am vuln. To XSS, as I am using htmlentities on > > the output, > > Not in every case that you output data entered by the user (and > shouldn't you be using htmlspecialchars?) > > > but I did in fact forget to escape the input to the database > > - http://us.php.net/addslashes is the preferred method, right? > > No, mysql_real_escape_string is (if you're working with MySQL at > least). > > (And that function name does a good job of summing up my number one > gripe with PHP) > >  Note that my PHP skills are decidedly rusty, you should probably > check my suggestions of how to fix the holes in your code with a more > reliable source. > > -- > David Dorward > http://dorward.me.uk/ > http://blog.dorward.me.uk/ > > > -- > > * * Please support the community that supports you. * * > http://evolt.org/help_support_evolt/ > > For unsubscribe and other options, including the Tip Harvester > and archives of thelist go to: http://lists.evolt.org > Workers of the Web, evolt !