Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hey guys, do I need to do any escaping (like htmlentities() ) when I have a form field input re-displayed when say the user miscorrectly fills something out. In other words... this is what I have:
Should I be using htmlentities() around the $_POST['username'] variable?? Is any escaping needed when displaying input within a field form element? Thanks for your advice!
Actually, if you have magic_quotes_gpc enabled in your php.ini, you may want to call stripslashes() in addition to htmlentities(). If not, then just htmlentities().
to get rid of any slashes added if magic qoutes are enabled see the funtion I gave here
You can include this in the top of every script. Then you never have to use stripslashes or addslashes anymore.