--- Adam i Agnieszka Gasiorowski FNORD <[EMAIL PROTECTED]> wrote:
> "Chris W. Parker" wrote:
> > 10. Use htmlentities() on data that will be put through a SQL query to
> > prevent XSS attacks. http://php.net/htmlentities
>
> How is it going to interact with MySQL FULLTEXT
> search SQL queries, where the characters ">" and "<"
> are in use as modifiers?
His suggestion was just that, a suggestion. You are the expert of your own
applications, so you know when it is best to follow a suggestion or ignore
it. Guidelines like this are mostly about exposing people to certain ideas
that make them open their eyes. If you understand the risk and can
mitigate it through other means, that is fine.
In your case, it might be best to use something like htmlentities() prior
to displaying the data to a user rather than prior to storage. Some data
filtering is still a good idea, of course, and you might want to consider
the data in the database tainted if your data filtering prior to storage
is incomplete whether by necessity or design.
The most common approach is to cleanse data as soon as possible, but this
isn't always best.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
