DB to XML

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Locked
kkonline
Forum Contributor
Posts: 251
Joined: Thu Aug 16, 2007 12:54 am

DB to XML

Post by kkonline »

I am working on an article manager, and the output data may have " ' , ; % signs which are valid and i don't want them to escape. However i want it to be safe from xss attacks The following code i am using to display extracted data from db

Your comments and suggestions or a better efficient code welcome!

Contents of config.php

Code: Select all

<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "pass";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR); 
?>

Code: Select all

<?php
include(config.php);

mysql_select_db($database_conn, $conn);
$query_rsAll = "SELECT `maintext` FROM `phpnews_news";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());

$row_rsAll = mysql_fetch_assoc($rsAll);

$totalRows_rsAll = mysql_num_rows($rsAll);



header('Content-type: text/xml');

header('Pragma: public');

header('Cache-control: private');

header('Expires: -1');



echo '<?xml version="1.0" encoding="utf-8"?><root>' ;

if ($totalRows_rsAll > 0) {
do{
     echo '<row>';

     foreach ($row_rsAll as $column=>$value) {
	
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');

          echo "<$column><![CDATA[" . $row_rsAll[$column] . "]]></$column>"; 

          // note the period . will join strings together.

     }

     echo "</row>";

}

while ($row_rsAll = mysql_fetch_assoc($rsAll)); 
}
echo '</root>';

mysql_free_result($rsAll); 

?>
I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.

I am extracting data from db and then converting it into XML.

I use

Code: Select all

$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
in the xml conversion code. Is that fine or should i use htmlspecialchars

My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &amp)

Or should i use xss specific code written at http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Duplicate thread. Locked.
Locked