htmlentities to escape plain string

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mutanx
    New Member
    • Sep 2013
    • 4
    #1

    htmlentities to escape plain string

    Hello, i tried to escape outputed database plain string using htmlenties as below

    Code:
    echo "<font size=4 color=green><option value=$row3[cat_id]>$row3[name]</option></font>";

    I tried it this way but is not working

    Code:
    echo "<font size=4 color=green><option value=htmlentities($row3[cat_id], ENT_QUOTES,"UTF-8")

 

>htmlentities($row3[name], ENT_QUOTES, "UTF-8")

 

</option></font>";

    below is entire code


    Code:
    <?php
require('./db.php');

$result = $db->prepare('
            select name,count(newscontent.cat_id) as no,
newscontent.cat_id from newscontent,content_cat where  
newscontent.cat_id=content_cat.cat_id group by newscontent.cat_id  order by name DESC limit 100
        ');
        $result->execute(array());

echo "<table width='10%' border='0' cellspacing='1' cellpadding='0'>";
$i=0;
$j=3;// number of columns in the table
    
                 while ($nt = $result->fetch())
                 {
                    $i=$i+1;


echo "<td><a href=newscat.php?cat_id=.htmlentities($nt['cat_id']);>$nt[name]</a>($nt[no])</td>";
if($i >= 3 ){$i=0; // start a new rows
echo "</tr><tr>";}
}
echo "</table>";
echo "<hr>"; 
?>
    please can someone help me to fix this htmlentities issues and check also if this code is sql vulnerable since the query is passed directly to database.

    thank you
    Last edited by Dormilich; Sep 9 '13, 05:38 AM. Reason: fixed code tags
    Tags: None
    • mutanx
      New Member
      • Sep 2013
      • 4
      #2
      please accept this

      Hello, i tried to escape outputed database plain string using htmlenties as below

      Code:
      echo "<font size=4 color=green><option value=$row3[cat_id]>$row3[name]</option></font>";

      I tried it this way but is not working

      Code:
      echo "<font size=4 color=green><option value=htmlentities($row3[cat_id], ENT_QUOTES,"UTF-8")

 

>htmlentities($row3[name], ENT_QUOTES, "UTF-8")

 

</option></font>";

      below is entire code


      Code:
      <?php
require('./data6rst.php');

$result = $db->prepare('
            select name,count(newscontent.cat_id) as no,
newscontent.cat_id from newscontent,content_cat where  
newscontent.cat_id=content_cat.cat_id group by newscontent.cat_id  order by name DESC limit 100
        ');
        $result->execute(array());

echo "<table width='10%' border='0' cellspacing='1' cellpadding='0'>";
$i=0;
$j=3;// number of columns in the table
    
                 while ($nt = $result->fetch())
                 {
                    $i=$i+1;


echo "<td><a href=newscat.php?cat_id=$nt[cat_id]>$nt[name]</a>($nt[no])</td>";
if($i >= 3 ){$i=0; // start a new rows
echo "</tr><tr>";}
}
echo "</table>";
echo "<hr>"; 
?>
      please can someone help me to fix this htmlentities issues and check also if this code is sql vulnerable since the query is passed directly to database

        Comment

        • Dormilich
          Recognized Expert Expert
          • Aug 2008
          • 8694
          #3
          see http://www.dreamincode.net/forums/to...string-in-php/

            Comment

            Previous template Next
            Working...