Reply to Re: [PHP] security/sql issues with php

Your name:

Reply:


Posted by Chris Shiflett on 09/22/05 02:02

Jasper Bryant-Greene wrote:
> Before outputting anything user-sourced to the browser,
> htmlspecialchars() it, preferably with the ENT_QUOTES option. If you
> want to allow some HTML, only then parse the string to un-escape
> certain HTML tags.

Jasper++

> Check the types if it's a problem for you (using PHP's many type
> functions);

Checking data types can be very misleading. I've seen many examples
(even recently in a book) that use is_int() to check to see whether
something in $_GET or $_POST is an integer. Because everything in $_GET
and $_POST is a string, this check always fails.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация