Page 1 of 1

DB to XML

Posted: Tue Aug 21, 2007 12:50 am
by kkonline
I am working on an article manager, and the output data may have " ' , ; % signs which are valid and i don't want them to escape. However i want it to be safe from xss attacks The following code i am using to display extracted data from db

Your comments and suggestions or a better efficient code welcome!

Contents of config.php

Code: Select all

<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "pass";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR); 
?>

Code: Select all

<?php
include(config.php);

mysql_select_db($database_conn, $conn);
$query_rsAll = "SELECT `maintext` FROM `phpnews_news";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());

$row_rsAll = mysql_fetch_assoc($rsAll);

$totalRows_rsAll = mysql_num_rows($rsAll);



header('Content-type: text/xml');

header('Pragma: public');

header('Cache-control: private');

header('Expires: -1');



echo '<?xml version="1.0" encoding="utf-8"?><root>' ;

if ($totalRows_rsAll > 0) {
do{
     echo '<row>';

     foreach ($row_rsAll as $column=>$value) {
	
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');

          echo "<$column><![CDATA[" . $row_rsAll[$column] . "]]></$column>"; 

          // note the period . will join strings together.

     }

     echo "</row>";

}

while ($row_rsAll = mysql_fetch_assoc($rsAll)); 
}
echo '</root>';

mysql_free_result($rsAll); 

?>
I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.

I am extracting data from db and then converting it into XML.

I use

Code: Select all

$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
in the xml conversion code. Is that fine or should i use htmlspecialchars

My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &amp)

Or should i use xss specific code written at http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll

Posted: Tue Aug 21, 2007 8:13 am
by feyd
Duplicate thread. Locked.