utf8_decode function question

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Sender
    #1

    utf8_decode function question

    Hi folks, I read in a security note that something known as a cross-site
    scripting attacker can use utf8 encoding and that you could decode data to
    prevent this. My site has a few fill in the blanks forms for submission to a
    database. Should I be concerned about this and should I be using the utf8
    decode function on the data submitted?

    TIA
    Bill


    Tags: None
    • Daniel Tryba
      #2
      Re: utf8_decode function question

      Sender <blah@blah.co m> wrote:[color=blue]
      > Hi folks, I read in a security note that something known as a cross-site
      > scripting attacker can use utf8 encoding and that you could decode data to
      > prevent this.[/color]

      What if the string is double encoded in anticipating of your decode?
      [color=blue]
      > My site has a few fill in the blanks forms for submission to a
      > database. Should I be concerned about this[/color]

      You should always be concerned about (all) user input.
      [color=blue]
      > and should I be using the utf8 decode function on the data submitted?[/color]

      IMHO you should escape the string before inserting according to the
      rdbm's specs (like using mysql_escape_st ring() if you use mysql).

      --

      Daniel Tryba

        Comment

        Previous template Next
        Working...