A humble suggestion based on this is making a function, like 'goodecho($str)' or 'eecho($str)' like this: echo htmlspecialchars($str) And use it to make output the same way you would use echo
Arnolds Kļavenieks Absolutely, and there's nothing wrong with a function for helpers like this. You wouldn't want to do something like Helper::escape() or (new Helper)->escape() :)
yay! Hey *****, im a big fan of your work and i was wondering do you want to start a project together. im a front-end developer but not realy good at back end, seems though your a back-end / php dev i think we would make an awesome team. thank you for the AWESOME vids and keep up the good work man!!!!
Blitz I really like your page banner and profile pic logo, can you link me to some of your work; just so I can appreciate it, as I love looking and inspecting quality things so I can learn from them.
There should probably be a minor validation such as: if(!function_exists('escape')) { // function here } In case the user has pulled a package in that already has that helper function implemented. :)
Иван Чоботар Sure, that's called 'sanitizing', you do this on input, and 'escape' on output. I'll be adding more security videos, and this is one of them :)
Please, can you tell me what is the difference between "htmlspecialchars" and "htmlentities"? From what I understand, both functions return the same results.
What would I do if my user was to use a CMS that allows for adding underlie, bold, font size, ect code. Like a forum does. How would I make sure no scripting is sent through?
Firepants20 look up BBCode. it's a simple markup language that uses [] instead of , but other than that it's similar to html. You just need to parse them before outputting
Cristi Alexandru Hi Cristi, htmlentities is pretty much the same, but converts more entities. This isn't needed on the security side, so you can use htmlspecialchars to only convert the required entities. No point converting more than you need (unless you actually need to)!
That brilliant explanation to the point KP it up
Preventing XSS attacks would be a nice title for this vid
tnx
keep it up
nicely explained!
This is really helpful for security!
A humble suggestion based on this is making a function, like 'goodecho($str)' or 'eecho($str)' like this:
echo htmlspecialchars($str)
And use it to make output the same way you would use echo
Using plain functions. Ahh, so nostalgic!
Arnolds Kļavenieks Absolutely, and there's nothing wrong with a function for helpers like this. You wouldn't want to do something like Helper::escape() or (new Helper)->escape() :)
Great. Thanks!
thanks!!.. great tut..
Thnx for the video alex
Hicham Hadraoui You're welcome.
can you please do more PHP Security.
Blitz Yup!
yay! Hey *****, im a big fan of your work and i was wondering do you want to start a project together. im a front-end developer but not realy good at back end, seems though your a back-end / php dev i think we would make an awesome team. thank you for the AWESOME vids and keep up the good work man!!!!
Blitz I really like your page banner and profile pic logo, can you link me to some of your work; just so I can appreciate it, as I love looking and inspecting quality things so I can learn from them.
Thanks! ill think about it :) depends if im busy
Blitz You'll think about it i.e. you don't want to link me to your work.
It's fine I respect your privacy
There should probably be a minor validation such as:
if(!function_exists('escape')) {
// function here
}
In case the user has pulled a package in that already has that helper function implemented. :)
***** Good point. Didn't want to complicate the video by introducing this, but an excellent point.
very good man
thanks
nice. can you make such wideo about properly escaping user's input?
Иван Чоботар Sure, that's called 'sanitizing', you do this on input, and 'escape' on output. I'll be adding more security videos, and this is one of them :)
there is problem with require and include to as rfi ot lfi..
I usually create a function called e() instead of escape(), way shorter!
Did you actually listen to the video?
Wiejeben Me too! I mentioned this in the video, since it's shorter and easier to write and has become a pretty standard name for escaping now.
Please, can you tell me what is the difference between "htmlspecialchars" and "htmlentities"? From what I understand, both functions return the same results.
Rodrigo Bravo htmlspecialchars only converts characters into html entities, that are used by html, htmlentities converts every character into the corresponding html entitiy (for example, htmlentities converts © to © but htmlspecialchars does not).
What text editor do you use?
What would I do if my user was to use a CMS that allows for adding underlie, bold, font size, ect code. Like a forum does. How would I make sure no scripting is sent through?
Firepants20 look up BBCode. it's a simple markup language that uses [] instead of , but other than that it's similar to html. You just need to parse them before outputting
yosoAMW Ah yes! I completely forgot about BBCode
Firepants20 Or you can pass the input through a Markdown parser such as: parsedown.org/
Firepants20 Use Markdown :)
Alex, what's the difference between htmlspecialchars() and htmlentities()?
There are tons of answers for this in stack overflow. Just use Google. You're a programmer or what?
Edit: You can see at 4:17 when he opens the PHP article there is some information in the first paragraph :)
Cristi Alexandru htmlspecialchars only converts characters into html entities, that are used by html, htmlentities converts every character into the corresponding html entitiy (for example, htmlentities converts © to © but htmlspecialchars does not).
- came from ua-cam.com/video/GPAO5yiCbNk/v-deo.html&lc=z13oglk4wuyyipwye04cfpxqjqauzd3igws0k give him a thumbs up :)
Cristi Alexandru Hi Cristi, htmlentities is pretty much the same, but converts more entities. This isn't needed on the security side, so you can use htmlspecialchars to only convert the required entities. No point converting more than you need (unless you actually need to)!
Woah, I never thought of XSS coming from an output, but it's so obvious, just a little misguided thought.