php - htmlspecialchars() on array of values fetch -


lets fetch data pdo

$stmt = $this->dbh->prepare("select * posts");     $stmt->execute();     $result = $stmt->fetchall();     return $result;

how should use htmlspecialchars() before displaying results using echo on view page? is ok escape array of results right after fetchall() or should escape results 1 one in view page?

if use htmlspecialchars() right after fetch, following work?

$stmt = $this->dbh->prepare("select * posts");     $stmt->execute();     $result = $stmt->fetchall();     $results=  implode(',', $results);     $results= htmlspecialchars($results);     $results= explode(',', $results);     return $results;

disregarding whether solution in question works (it not marc b pointed out), technically doesn't matter where encode values long encoded before being written page. it's pretty design decision.

let me note though htmlspecialchars() not holy grail against xss. protects when output written in html context, not when it's written javascript example.

consider this:

...your html content... <script type="text/javascript">     var myvar = <?= myvar ?>; </script> ...

in case, calling htmlspecialchars() on myvar not enough if may contain user input. in example above, don't need special character exploit xss. same applies things <div onclick="myfun('something', <?=myvar?>)"> -- it's still javascript context, need different encoding.

a full tutorial on xss not fit (and believe not belong) in answer here, wanted raise attention fact html encoding not enough @ all.

having said that, applying htmlspecialchars() right after reading data database think wrong, because @ point don't care data used (what context written into). may separation of concerns thing in code.

so spare encoding data until gets written page, because know encoding use.


-

Comments

Post a Comment

Popular posts from this blog

unity3d - Rotate an object to face an opposite direction -

i have object , b. when click on object b, rotates object b (a faces b). b doesn't face a. need following : when faces b, need face opposite direction. have code rotating @ b. how rotate face opposite direction after that? vector3 targetdirection = target - transform.position; float step = speed * time.deltatime; vector3 newdirection = vector3.rotatetowards (turretdome.transform.forward, targetdirection, step, 0.0f); turretdome.transform.rotation = quaternion.lookrotation (newdirection); you object facing object b, want inverse direction of object after that? objecta.transform.rotation = quaternion.inverse(objecta.transform.rotation) but lets assume example turretdome object a, (negate direction): turretdome.transform.rotation = quaternion.lookrotation (-newdirection); naturally, both of these snippets not show how smoothen rotation, seem know how use time.deltatime. just incase unsure, quaternion.lerp this
Read more

angular - Is it possible to get native element for formControl? -

i've got angular2 reactive form . created formcontrol s , assigned input fields by [formcontrol]=... . understand creates nativeelement <-> formcontrol link. my question: possible nativeelement formcontrol ? wanna myformcontrol.nativeelement.focus() i can share 1 terrible solution works me. in reactive forms can use either 1) formcontroldirective ts mycontrol = new formcontrol('') template <input type="text" [formcontrol]="mycontrol"> or 2) formcontrolname ts myform: formgroup; constructor(private fb: formbuilder) {} ngoninit() { this.myform = this.fb.group({ foo: '' }); } template <form [formgroup]="myform"> <input type="text" formcontrolname="foo"> </form> so these directives write patch like 1) formcontroldirective const originformcontrolngonchanges = formcontroldirective.prototype.ngonchanges; formcontroldirective.proto
Read more

javascript - Why jQuery Select box change event is now working? -

i working on product filters user select select box according his/her preference not getting selected value user in jquery. html code:- <select name="product_filter" id="product_filter"> <option value="price_low_first">price : low high</option> <option value="price_high_first">price : high low</option> <option value="latest">latest</option> <option value="popular">most popular</option> </select> jquery code: $(function () { $("#product_filter").change(function () { alert("hi") var selectedtext = $(this).find("option:selected").text(); var selectedvalue = $(this).val(); alert("selected text: " + selectedtext + " value: " + selectedvalue); }); }); hi believe code perfect. once please check jquery.min.js
Read more