am i right?
Posted: Mon Dec 17, 2007 6:25 am
lets say the above one is the string which is to be stored in a variable.I'm "Great"
then to store it in a variable the 2 ways are
Code: Select all
$str1 = "I'm \"Great\"";Code: Select all
$str2 = 'I\'m "Great"';submitting the form is nothing more than assigning some strings to POST or GET variables.
but this assigning is done by PHP automatically.
any way for it to assign the 2 ways it has are
just escape all quotes
or
use Heredoc.
1. if magic_quotes_gpc directive is ON. it uses escaping method. otherwise heredoc method. am i right?
from php manual:
2. why is it "trusting on magic_quotes is highly discouraged."???magic_quotes_gpc
Warning
This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
I am using and RICH TEXT EDITOR(which has direct option for them to enter HTML also). in my website.
i dont want them to use tags like input,object,script,embed,iframe,applet.
now how can i avoid XSS.
i. i can't use htmlentities() or htmlspecialchars() or striptags()
ii. I have to use regular expression to delete the these tags along with the content. any suggestions from security point of view?