My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but I
don't think I can think of a reason why it would be done.
Why would you want to decode HTML entities given by a user? The opposite
(encode their input into HTML entities) is the usual approach...
Jasper
Slythers Bro wrote:
<?php
$host = "127.0.0.1 <http://127.0.0.1>";
$user = "sqluser";
$pass = "sqlpass";
.....
$foobar=html_entity_decode($_GET['foo']);
echo $foobar;
?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/