Is it possible for users to insert forbidden characters into sites with htmlentities or mysqlescapestring?
So, in my brief research in PHP security, I have been guided toward two important functions to remove forbidden characters from forms. One being "htmlentities" and the other being "mysql_escape_string" - what I am wondering is if there is a common way for hackers to insert malicious forbidden characters in to the forms despite the functions. I am suspicious that this is possible, since this is such a commonly employed security technique. Is an extra layer of security needed?
NB: I understand that mysql_escape_string may become deprecated soon.
So, in my brief research in PHP security, I have been guided toward two important functions to remove forbidden characters from forms. One being "htmlentities" and the other being "mysql_escape_string" - what I am wondering is if there is a common way for hackers to insert malicious forbidden characters in to the forms despite the functions. I am suspicious that this is possible, since this is such a commonly employed security technique. Is an extra layer of security needed?
NB: I understand that mysql_escape_string may become deprecated soon.
No comments:
Post a Comment