DB to XML
Posted: Tue Aug 21, 2007 12:50 am
I am working on an article manager, and the output data may have " ' , ; % signs which are valid and i don't want them to escape. However i want it to be safe from xss attacks The following code i am using to display extracted data from db
Your comments and suggestions or a better efficient code welcome!
Contents of config.php
I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.
I am extracting data from db and then converting it into XML.
I use
in the xml conversion code. Is that fine or should i use htmlspecialchars
My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &)
Or should i use xss specific code written at http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll
Your comments and suggestions or a better efficient code welcome!
Contents of config.php
Code: Select all
<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "pass";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR);
?>Code: Select all
<?php
include(config.php);
mysql_select_db($database_conn, $conn);
$query_rsAll = "SELECT `maintext` FROM `phpnews_news";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);
header('Content-type: text/xml');
header('Pragma: public');
header('Cache-control: private');
header('Expires: -1');
echo '<?xml version="1.0" encoding="utf-8"?><root>' ;
if ($totalRows_rsAll > 0) {
do{
echo '<row>';
foreach ($row_rsAll as $column=>$value) {
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');
echo "<$column><![CDATA[" . $row_rsAll[$column] . "]]></$column>";
// note the period . will join strings together.
}
echo "</row>";
}
while ($row_rsAll = mysql_fetch_assoc($rsAll));
}
echo '</root>';
mysql_free_result($rsAll);
?>I am extracting data from db and then converting it into XML.
I use
Code: Select all
$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; " &)
Or should i use xss specific code written at http://svn.bitflux.ch/repos/public/popo ... linput.php
and apply it to$row_rsAll