Dealiing with large text areas.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

Post by fambi »

Hi Chris - nice to know that you take part in this forum!

I just had a read of the PHP Manual which says:
Like htmlspecialchars(), it takes an optional third argument charset which defines character set used in conversion. Support for this argument was added in PHP 4.1.0. Presently, the ISO-8859-1 character set is used as the default.
So, if the site's headers already delcare:

Code: Select all

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
Is there still the need to define the character set used in the conversion?

Also, can you give an example in which the importance of ENT_QUOTES is highlighted.

Thanks all for your help.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

http://shiflett.org/archive/178

Hope that explains it better! :-)
yes yes it does. thanks. I have to say I wasn't expected the author to turn up like that. That's a nice surprise.

fambi:
htmlentities() is more "exhaustive" so use that. And personally I perfer to specify things rather than use defaults because defaults change with releases and also other programmer's knowledge of such things is not always very good. Certainly if I saw:

Code: Select all

?>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
</head>
<body>
<?
echo htmlentities($_GET['name'], ENT_QUOTES);
I would assume it was incomplete and insecure even though in this case i may be fine. If you get tried of using such a long function call for htmlentities write you're own function and call that, this way its easier to change encoding if you have to as well:

Code: Select all

function htmlClean($str) {
  return htmlentities($str,ENT_QUOTES,'ISO-8859-1');
}
fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

Post by fambi »

ole wrote:If you get tried of using such a long function call for htmlentities write you're own function and call that, this way its easier to change encoding if you have to as well:

Code: Select all

function htmlClean($str) {
  return htmlentities($str,ENT_QUOTES,'ISO-8859-1');
}
Beat you to it... but thanks for the help.
Post Reply