I'm building a PHP intranet for my boss. A simple customer, order, quote system. It will be denied access from the Internet and only used by 3 people. I'm not so concerned with security as I am with validation. Javascript is disables on all machines.
The problem I have is this:
- Employee 开发者_开发百科enters valid data into a form containing any of the following
:;[]"'etc. - Form $_POSTS this data to a validationAndProcessing.php page, and determines whether the employee entered data or not in to the fields. If they didn't they are redirected back to the data input page and the field they missed out is highlighted in red.
- htmlspecialchars() is applied to all data being re-populated to the form from what they entered earlier.
- Form is then resubmitted to validationAndProcessing.php page, if successful data is entered into the database and employee is taken to display data page.
My question is this:
If an employee repeatedly enters no data in step 1, they will keep moving between step 1 and 4 each time having htmlspecialchars() applied to the data.
So that:- &
becomes:- &
becomes:- &
becomes:- &
etc..
How can I stop htmlspecialchars() being applied multiple times to data that is already cleaned?
Thanks, Adam
Check the manual page on htmlspecialchars:
string htmlspecialchars ( string $string [, int $quote_style = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] )
the $double_encode option should be what you are looking for.
In a properly set up data flow, though, this shouldn't be a possibility at all, except if there is data incoming from the user or a 3rd party service that could or could not already contain HTML encoded characters. (Not that I haven't built a few improperly set up data flows in my career. But that's why I know why it's so important they're clean and well defined. :-)
You should only be using htmlspecialchars in the HTML output, never anywhere else.
<input name="var" value="<?php echo htmlspecialchars($var)?>">
If $var contained an ampersand, say, then in the HTML it would output the encoded value:
<input name="var" value="this&that">
However, the user would only see this&that in their input field, and upon submission, $_GET['var'] will be this&that, not the encoded version.
On the PHP side of things the only thing you may want to do is remove slashes if magic quotes are on:
if (get_magic_quotes_gpc())
$var = stripslashes($_POST['var']);
else
$var = $_POST['var'];
From there you should store the raw data in the database, not HTML-encoded versions. To avoid SQL injection, use mysql_real_escape_string if you're using normal mysql functions, or use PDO instead.
So that:- &
becomes:- &
becomes:- &amp;
becomes:- &amp;amp;
You are simply wrong. Just try it and see
<form>
<input name="a" value="<?=htmlspecialchars($_GET["a"])?>">
<input type=submit>
</form>
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论