|
Posted by Anthony Tippett on 04/05/05 02:55
Eric,
It sounds like you just need to do some reading on "best practices" of
security when writing php code. It's pretty vast what one can do when
trying to hack a php application and depending on what php server
settings are set, you may need to do certain things. I'd suggesting
reading / google php security and viewing pages like the following to
answer your question. It may only answer your question in the long run,
but there are many more things to know about besides htmlentities to
make sure your application is secure. I actually need to do some
reading about them. Once in a while
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Also events like the following are good to go to expecially if you can
get your company to pay for them.
http://www.osevents.com/page5.html?
Eric Gorr wrote:
> Chris W. Parker wrote:
>> Or in a less extreme case, your
>
>> computer get hijacked and used to send spam because you used
>> htmlentities() instead of strip_tags().
>
>
> Well, this is why I asked the question to begin with. I am concerned (as
> everyone _should_ be) about such things and desire to do my best to
> prevent them.
>
> Now, as near as I can tell, strip_tags is the only thing one really
> needs to do to be safe.
>
> But, one can use htmlentities to potentially preserve useful text, if it
> is important to do so and still remain safe - with the downside being
> having a messier body then may be necessary.
>
[Back to original message]
|