Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts

    htmlentities() question

    I have a script called "send-pm.php" which sends a private message.

    In it, I store the recipient's username in the $_SESSION variable. (This is after I have thoroughly sanitized the Recipient's Username by checking the format, checking for it in the database, etc.)

    Once this script has run, I have an "outcome.php" script which displays all pass/fail messages.

    At the top of "outcome.php", I have this...
    PHP Code:
        $username = (isset($_SESSION['username']) ? $_SESSION['username'] : ''); 

    Because $_SESSION['username'] and therefore $username have already been sanitized, can I skip using htmlentities() for something like this...
    PHP Code:
        echo "<p>Your Private Message has been sent to $username</p>"

    I was under the impression that you only need to use htmlentities() for data which comes directly from the user (e.g. Form Comments).

    Sincerely,


    Debbie

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Quote Originally Posted by doubledee View Post
    Because $_SESSION['username'] and therefore $username have already been sanitized, can I skip using htmlentities() for something like this...
    PHP Code:
        echo "<p>Your Private Message has been sent to $username</p>"

    I was under the impression that you only need to use htmlentities() for data which comes directly from the user (e.g. Form Comments).
    htmlentities() is really for displaying html sensitive characters in the browser.

    Say I PM'd you some text with the < and > characters. We want those displayed right? - Therefore we run the text through htmlentities and it would output the html codes for those characters so that they're displayed and not interpreted as part of the html.

    There is some confusion about this function also being used for security.. no idea why.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,849
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    Quote Originally Posted by tangoforce View Post
    There is some confusion about this function also being used for security.. no idea why.
    See this old article http://seancoates.com/blogs/xss-woes, just a case
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,048
    Thanks
    25
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by tangoforce View Post
    htmlentities() is really for displaying html sensitive characters in the browser.

    Say I PM'd you some text with the < and > characters. We want those displayed right? - Therefore we run the text through htmlentities and it would output the html codes for those characters so that they're displayed and not interpreted as part of the html.

    There is some confusion about this function also being used for security.. no idea why.
    Because it helps prevent XSS Attacks...


    Debbie


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •