#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,672
    Rep Power
    171

    Cant make the conversion with htmlspecialchars


    Hello;
    Why the code below still shows Js alert box saying hi! I don't understand why!
    PHP Code:
    <?php echo html_escape($_POST['first_name']);?>
    PHP Code:
    function html_escape($raw_input)
        {
            return 
    htmlspecialchars($raw_inputENT_QUOTES ENT_HTML401'UTF-8');     
        } 
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    no offense, but I doubt that. Have you verified it's actually this particular echo generating the script element?

    Do something like this:

    PHP Code:
    <?php var_dump(html_escape('effect of html_escape: ' $_POST['first_name']));?>
    What do you see after "effect of html_escape"? "lt" and "quot"? Or actually angled brackets and quotes?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,672
    Rep Power
    171
    Originally Posted by Jacques1
    Hi,

    no offense, but I doubt that. Have you verified it's actually this particular echo generating the script element?

    Do something like this:

    PHP Code:
    <?php var_dump(html_escape('effect of html_escape: ' $_POST['first_name']));?>
    string(72) "effect of html_escape: <script>alert('k')</script>"
    What do you see after "effect of html_escape"? "lt" and "quot"? Or actually angled brackets and quotes?
    Any reason why it wasn't working few hours ago and now it is? I guess it was cache.

IMN logo majestic logo threadwatch logo seochat tools logo