Wednesday, 8 August 2012

Security - htmlentities()

Hi everyone!!

       Most of the sites include data entry by the user and then storing it into the database. If user enters some html code or some script it will be stored as it is in the database. But the real problem arises when it comes to displaying the data somewhere like user profile etc. The malicious code may be executed on displaying.

               So to prevent any such thing that jeopardises the security of your website, add the function htmlentities() to every output as follows:

    Echo  "Name : ".htmlentities($data['name']) ; 
    Name: htmlentities($data['name']) ; 
          Here $data['name'] is the data retrieved from database. In case user inputs in a text box as follows:
     Name:   <script type="text/javascript" src="----//viralcode.php"><script>
Then on data display the script is executed and user may harm your site as he wants...

     The function htmlentities() simply treats it as an html entity and prints it as it is. All the html tags  are treated as text only.

     So always use the function to secure your website. Hope this post was helpful. Stay tuned for more posts...

No comments:

Post a Comment