03-24-2012, 10:49 AM
Im quite surprised (in a worried way that is), that no one else has picked up on the first code block problem:
So as shown in the code above, you are no longer taking the variables as what they stand for. Your treating them as literals because you have used single quotes around them, meaning that variables are no longer parsed.
Also i disagree with you ★Cooldude★ because you are using two clashing functions:
strip_tags do exactly what their called, they strip the opening and closing tags (including the text inside of them), from the users input. However you're using htmlspecialchars over that again. This is rather pointless because you have already stripped the tags, and now you are trying to convert them?
I would keep it to just escaping the users data into the database (with the likes of mysql_real_escape_string, or addslashes), and then upon output of data from the database, i would use the function htmlspecialchars (to prevent XSS attacks). The reason being is that you may forget to use htmlspecialchars upon user input, which would leave you vulnerable upon output of data from your database because you have trusted all of the data inside your database (dont ever do that).
(03-13-2011, 05:08 PM)Peter L Wrote:PHP Code:$con = mysql_connect('$dbhost', '$dbuser', '$dbpass');
So as shown in the code above, you are no longer taking the variables as what they stand for. Your treating them as literals because you have used single quotes around them, meaning that variables are no longer parsed.
Also i disagree with you ★Cooldude★ because you are using two clashing functions:
(01-14-2012, 04:46 PM)★Cooldude★ Wrote: Really?
PHP Code:function sanitise($input){
return htmlentities(strip_tags(mysql_real_escape_string($input)));
}
strip_tags do exactly what their called, they strip the opening and closing tags (including the text inside of them), from the users input. However you're using htmlspecialchars over that again. This is rather pointless because you have already stripped the tags, and now you are trying to convert them?
I would keep it to just escaping the users data into the database (with the likes of mysql_real_escape_string, or addslashes), and then upon output of data from the database, i would use the function htmlspecialchars (to prevent XSS attacks). The reason being is that you may forget to use htmlspecialchars upon user input, which would leave you vulnerable upon output of data from your database because you have trusted all of the data inside your database (dont ever do that).