hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities.
however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>";
and i wish to retain the <b> instead of becoming <b>
what should i do?
if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???
escaping output
Moderator: General Moderators
- andyhoneycutt
- Forum Contributor
- Posts: 468
- Joined: Wed Aug 27, 2008 10:02 am
- Location: Idaho Falls
Re: escaping output
Typically, I think, you'll want to secure data that will be used from input, not output. As far as making sure things are good on the flash-app when it receives data, you'll want to run security measures on that end, not necessarily relying on the output method to secure your data.
-Andy
-Andy
Re: escaping output
You should escape only values, not constants + values:
instead of something like
Code: Select all
$bold = htmlspecialchars($bold, ENT_QUOTES, 'utf8');
$output = "blah <b> $bold</b>";
echo $output;Code: Select all
$output = "blah <b> $bold</b>";
echo htmlspecialchars($output, ENT_QUOTES, 'utf8');
Re: escaping output
but from a user input of a huge chunk of text, how do i differentiate between constants and values??
Re: escaping output
Use htmLawed to escape only certain tags: http://www.bioinformatics.org/phplabwar ... /index.php
Read the documentation fully.
Read the documentation fully.
Re: escaping output
@ibolui: You know what "values" are, because you, the programmer, put them there!
See my previous example - $bold is a "value"
See my previous example - $bold is a "value"