XSS Preventing.

XSS Preventing.

am 22.06.2009 21:51:58 von Caner Bulut

------=_NextPart_000_0009_01C9F38C.0DE62F50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi Guys,



I have a question if you have any knowledge about this please let me know.



I getting data from a form with POST method like following.



$x = htmlentities($_POST['y']);

..



After getting all form daha I save them into DB, I used
mysql_real_escape_string.



I have an page which show the information that I have save into DB. But If I
don't use html_entity_decode, there will encodding and charset problems. I
can't set htmlentities charset parameters because this function does not
have Turkish Charset support.



The question is that, after saving data into DB with using htmlentities, in
the information page if I use html_entity_decode function still there is an

XSS risk or not? . html_entity_decode function get back all risk again?



Please help.



Thanks.

Caner.


------=_NextPart_000_0009_01C9F38C.0DE62F50--

Re: XSS Preventing.

am 22.06.2009 22:27:03 von Shawn McKenzie

Caner BULUT wrote:
> Hi Guys,
>
>
>
> I have a question if you have any knowledge about this please let me know.
>
>
>
> I getting data from a form with POST method like following.
>
>
>
> $x = htmlentities($_POST['y']);
>
> .
>
>
>
> After getting all form daha I save them into DB, I used
> mysql_real_escape_string.
>
>
>
> I have an page which show the information that I have save into DB. But If I
> don't use html_entity_decode, there will encodding and charset problems. I
> can't set htmlentities charset parameters because this function does not
> have Turkish Charset support.
>
>
>
> The question is that, after saving data into DB with using htmlentities, in
> the information page if I use html_entity_decode function still there is an
>
> XSS risk or not? . html_entity_decode function get back all risk again?
>
>
>
> Please help.
>
>
>
> Thanks.
>
> Caner.
>
>

Don't htmlentiies() before DB save. In general:

- mysql_real_escape_string() before DB insertion

- htmlentities() before dispaly

--
Thanks!
-Shawn
http://www.spidean.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Re: XSS Preventing.

am 22.06.2009 22:32:17 von Caner Bulut

Thanks for response.

But if I use before display there is charset problems occurs. And
htmlentities does not support Turkish Charset. How can I decode data after
pass thought htmlentities.

Thanks.

-----Original Message-----
From: Shawn McKenzie [mailto:nospam@mckenzies.net]
Sent: 22 June 2009 23:27
To: php-general@lists.php.net
Subject: [PHP] Re: XSS Preventing.

Caner BULUT wrote:
> Hi Guys,
>
>
>
> I have a question if you have any knowledge about this please let me know.
>
>
>
> I getting data from a form with POST method like following.
>
>
>
> $x = htmlentities($_POST['y']);
>
> .
>
>
>
> After getting all form daha I save them into DB, I used
> mysql_real_escape_string.
>
>
>
> I have an page which show the information that I have save into DB. But If
I
> don't use html_entity_decode, there will encodding and charset problems. I
> can't set htmlentities charset parameters because this function does not
> have Turkish Charset support.
>
>
>
> The question is that, after saving data into DB with using htmlentities,
in
> the information page if I use html_entity_decode function still there is
an
>
> XSS risk or not? . html_entity_decode function get back all risk again?
>
>
>
> Please help.
>
>
>
> Thanks.
>
> Caner.
>
>

Don't htmlentiies() before DB save. In general:

- mysql_real_escape_string() before DB insertion

- htmlentities() before dispaly

--
Thanks!
-Shawn
http://www.spidean.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: XSS Preventing.

am 22.06.2009 23:00:54 von Shawn McKenzie

Caner BULUT wrote:
> Thanks for response.
>
> But if I use before display there is charset problems occurs. And
> htmlentities does not support Turkish Charset. How can I decode data after
> pass thought htmlentities.

I have no idea, I was just saying that if you use it, use it for display
and not for storage. If you only use it for display, then you don't
need to decode it. Also, what do you mean it doesn't support the
Turkish charset? Does it mangle some of the chars? You are using it so
that you don't get markup