filburt1
04-22-2003, 10:00 PM
To easily prevent HTML injection from HTML that happens to be in the results of a database query, do this:
while ($bits = $DB_site->fetch_array($result))
{
foreach ($bits as $key => $value) $bits[$key] = htmlspecialchars($value);
.
.
.
}
That goes through every single element from the fetch_array method and converts all HTML junk to their entities. Then, when you use "$bits[something]" in a template, the user won't be able to inject HTML at all.
while ($bits = $DB_site->fetch_array($result))
{
foreach ($bits as $key => $value) $bits[$key] = htmlspecialchars($value);
.
.
.
}
That goes through every single element from the fetch_array method and converts all HTML junk to their entities. Then, when you use "$bits[something]" in a template, the user won't be able to inject HTML at all.