I'm gradually building a very small intranet application with PHP and MySQL.
There will only be 10 users initially but I'm hoping to eventually replace our company FileMaker database for managing company and contact information.
I've made sure that every variable from external sources is running through the following function:
Code: Select all
function mysql_clean($value) {
// STRIPSLASHES
if ( get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
return trim(mysql_real_escape_string($value));
}That makes sure all data that users could enter is secured, and then PHP can deal with it safely.
But I'm worried about the potential of XSS or malicious HTML code being displayed on the script pages.
Is it enough to run the htmlspecialchars() function on any variables that will be output on the HTML page?
Or should I also run htmlspecialchars() on variables even if they're not going to be in the HTML output?
Thanks
Ben