PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hey Gurus I consider this piece of code secure from XSS attacks but aparently it is not according to a program which analyses website vulnrabilities (Acunetix Web Scanner).
if isset(($_GET['msg'])) {
$msg = mysql_real_escape_string($_GET['msg']);
echo "<div class=\"msg\">$msg</div>";
}
Is the program wrong or am I wrong. For the record i dont rely on programs to find my security flaws I just use it out of curiosity, secound opionion doesn't hurt after all
mysql_real_escape_string escapes data, which will be send to database
When you are outputing HTML, you have to escape data with htmlspecialchars / htmlentities
Data should be escaped when it is used, in the context of which it is used. There are different functions / ways to escape data for output, for database, for working with filesystem, etc...