Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
Thread: htmlentities() question
11-06-2013, 03:48 AM #1
I have a script called "send-pm.php" which sends a private message.
In it, I store the recipient's username in the $_SESSION variable. (This is after I have thoroughly sanitized the Recipient's Username by checking the format, checking for it in the database, etc.)
Once this script has run, I have an "outcome.php" script which displays all pass/fail messages.
At the top of "outcome.php", I have this...
$username = (isset($_SESSION['username']) ? $_SESSION['username'] : '');
Because $_SESSION['username'] and therefore $username have already been sanitized, can I skip using htmlentities() for something like this...
echo "<p>Your Private Message has been sent to $username</p>";
I was under the impression that you only need to use htmlentities() for data which comes directly from the user (e.g. Form Comments).
11-06-2013, 11:25 AM #2
- Join Date
- Feb 2011
- Your Monitor
- Thanked 503 Times in 490 Posts
Say I PM'd you some text with the < and > characters. We want those displayed right? - Therefore we run the text through htmlentities and it would output the html codes for those characters so that they're displayed and not interpreted as part of the html.
There is some confusion about this function also being used for security.. no idea why.My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!
11-06-2013, 12:43 PM #3
- Join Date
- Mar 2007
- Thanked 2,214 Times in 2,201 Posts
- Blog Entries
http://seancoates.com/blogs/xss-woes, just a caseThe Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)
11-07-2013, 01:17 AM #4