|Encoding PHP Tags for Security?||#1|
Kohana and Codeigniter both have
? What is the security threat?
posted date: 2009-04-12 16:48:00
|Re: Encoding PHP Tags for Security?||#3|
Why they(ve listed this as a security-related function I couldn(t tell you, but this pretty much just replaces the < and > in the PHP tags with their encoded forms, thus disallowing the actual PHP code between the tags to be parsed. Purely a visual thing, but there you have it...
posted date: 2009-04-12 17:08:00
|Re: Encoding PHP Tags for Security?||#4|
A smart fellow on the #kohana forum suggested that it is there because Expression Engine uses eval() for templates. If someone were to embed PHP in a string it is possible it would be eval()(d and executed. Since Kohana does not use eval() for templates it is possible that it is just left over from Codeigniter days.
posted date: 2009-04-12 17:09:00
|Re: Encoding PHP Tags for Security?||#5|
If your application allows user input to be written as a file of some kind. You should prevent the user from entering PHP code that could then be executed on your server.
posted date: 2009-04-12 17:10:00
|Re: Encoding PHP Tags for Security?||#6|
This ensures that any PHP code in user input will not be executed if, for example, the application writes the input to a file or passes it to
. Or if you just want to write out some PHP code to show the browser.
posted date: 2009-04-12 17:17:00
|Re: Encoding PHP Tags for Security?||#7|
the usage point is clear, your website users have not to write php codes in your forms. if you(re using other XSS preventing methods provided for CI or kohana there(s no necessity to use this.
posted date: 2009-04-12 17:19:00
|Re: Encoding PHP Tags for Security?||#8|
Would you consider htmlspecialchars() or mysqli_real_escape_string() to be purely visual things?
posted date: 2009-04-12 17:28:00
|select page: « 1 »|