Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Inconsistent escaping of problem characters for SQL (' & etc.)
02-26-2014, 08:21 AM,
#8
RE: Inconsistent escaping of problem characters for SQL (' & etc.)
Hi Tim,
(02-26-2014, 07:11 AM)Forums Wrote:
(02-26-2014, 07:03 AM)icedlava Wrote: Actually this is incorrect.

Line 321 is correct - you should always do this before displaying data as HTML.

Then I bow to your superior knowledge :-)
I doubt it, probably I read a different book :-)

But sure, technically there should always be preparation of the data before being displayed as HTML by cleaning up with HTMLspecialchars (or HTMLentities perhaps depending ..) and you do not want to double it up by doing it again.
Quote:I had always understood that once the data had been "sanitised" it didn't need to be "re-sanitised"
Well, what is 'sanitised' in this context?
The data is going to be displayed in HTML so should be HTMLspecialchars encoded.

If we htmlspecialchars_decode the data before we save it again (at line 38) it should be displayed correctly with the htmlspecialchars line at 321 as it should be (or htmlentities in some cases is enough).

If data wasn't htmlspecialchars encoded at line 321 it would be a problem in the case where there were entities that should be.

The fact is everything that is a var is htmlspecialchar encoded in weberp in the sessions.inc or db_escape_string function and that is a problem when it gets saved in the database with the entities encoded.



Reply


Messages In This Thread
RE: Inconsistent escaping of problem characters for SQL (' & etc.) - by icedlava - 02-26-2014, 08:21 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)