Dotan Cohen wrote: > One note, I remove semicolons from the user input to thrart SQL > injection as they can be used to terminate an SQL query and are > very uncommon in regular speech. However, htmlspecialchars() > and htmlentities add semicolons when converting. Is this > dangerous, ie, can this be exploited?
If you ever use htmlentities() to escape data for SQL or mysql_real_escape_string() to escape data for HTML, then yes, it is dangerous. Escaping functions are context-dependent. Hope that helps. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
