#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171

    Does htmspecialchars stop css attack?


    For example is this enough for keeping the data in the text field?
    PHP Code:
    echo '<input type="text" value="'.htmlspecialchars($_POST['search']).'" />'
    Not speaking about sql injeciton here.
    Thanks
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,064
    Rep Power
    9398
    XSS.

    Yes, but it would be good to get in the habit of using the full power of the function.
    PHP Code:
    htmlspecialchars($_POST['search'], ENT_QUOTES'UTF-8'
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,664
    Rep Power
    171
    Originally Posted by requinix
    XSS.

    Yes, but it would be good to get in the habit of using the full power of the function.
    PHP Code:
    htmlspecialchars($_POST['search'], ENT_QUOTES'UTF-8'
    Typo. Sorry.

    I saw that before, but can't really see the difference.
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,064
    Rep Power
    9398
    ENT_QUOTES will make it escape apostrophes too, in case you have HTML like
    Code:
    <input type='text' value='blah' />
    UTF-8 is to help with potential text encoding problems.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Just so that there's no misunderstanding: Of course you must not specify 'UTF-8' if the page encoding isn't UTF-8. You have to specify the actual encoding as set in the Content-Type header. If you don't explicitly specify the encoding, you rely on the default value, which may or may not be correct. If it isn't, this can render the whole function useless:

    http://shiflett.org/blog/2005/dec/go...-vulnerability

    I've actually written down all that in the link in my signature.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo