Hi GIJOE,
first, thank you for all the work you are doing for xoops!
How about starting a forum(s) for security - module development, php, xoops, web server ... And maybe in module development in general?
I already have some questions for the security forum
I'm not a specialist for the security
Anyway, you can post such questions to Etc. forums.
I'll answer if the question is answerble for me
Well, I have an edit field, where user enters url.
I do " $myts->addSlashes..." before saving into database and "$myts->htmlSpecialChars..." before display.
Is that ok and what else should I do?
Quote:
stefan88 wrotes:
Well, I have an edit field, where user enters url.
I do " $myts->addSlashes..." before saving into database and "$myts->htmlSpecialChars..." before display.
Is that ok and what else should I do?
- "user enters url"
You should know some URL's from javascript : or about :
- $myts->addSlashes
You should know $myts->addSlashes behave curiously.
Under the environment magic_quotes_gpc=on, it never escapes slashes.
POST,GET -> ($myts->stripSlashes) -> raw data
raw data -> (addslashes or mysql_*_escape instead of $myts->addSlashes) -> string for MySQL
This is the right way.