|
Posted by Chris Shiflett on 09/22/05 02:02
Jasper Bryant-Greene wrote:
> Before outputting anything user-sourced to the browser,
> htmlspecialchars() it, preferably with the ENT_QUOTES option. If you
> want to allow some HTML, only then parse the string to un-escape
> certain HTML tags.
Jasper++
> Check the types if it's a problem for you (using PHP's many type
> functions);
Checking data types can be very misleading. I've seen many examples
(even recently in a book) that use is_int() to check to see whether
something in $_GET or $_POST is an integer. Because everything in $_GET
and $_POST is a string, this check always fails.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|