TheNone
Reputation: 5802
URL filtering in php, filter_var or htmlentities
For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ?
Upvotes: 1
Views: 1371
Answers (2)
rook
Reputation: 67004
What are you defending against? A vulnerability is highly dependent on how the data is being used. Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.
For XSS you should use: htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var);
If you are passing user input to system() or another similar function then you should use escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems.
Upvotes: 1
Related Questions
- PHP: filter_var sanitization secure enough?
- Is filter_var a good way to go?
- What is the most secure way to validate URLs in PHP?
- Defense with filter_var
- safe html filtering with php?
- XSS url filtering
- Filtering URLS for output PHP
- PHP filter_var for a URL against XSS attacks
- Is there a PHP equivalent to Java URL filters/interceptors?
- A tidy way to clean your URL variables?