A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2009 yearEncoding PHP Tags for Security? - page 1
User InfoPosts
Encoding PHP Tags for Security?#1
Kohana and Codeigniter both have encode_php_tags(). I understand XSS cleaning (for Javascript), but when and why would you use encode_php_tags()? What is the security threat?

posted date: 2009-04-12 16:48:00

Re: Encoding PHP Tags for Security?#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2009-04-12 16:48:01

Re: Encoding PHP Tags for Security?#3
Why they(ve listed this as a security-related function I couldn(t tell you, but this pretty much just replaces the < and > in the PHP tags with their encoded forms, thus disallowing the actual PHP code between the tags to be parsed. Purely a visual thing, but there you have it...

posted date: 2009-04-12 17:08:00

Re: Encoding PHP Tags for Security?#4
A smart fellow on the #kohana forum suggested that it is there because Expression Engine uses eval() for templates. If someone were to embed PHP in a string it is possible it would be eval()(d and executed. Since Kohana does not use eval() for templates it is possible that it is just left over from Codeigniter days.

posted date: 2009-04-12 17:09:00

Re: Encoding PHP Tags for Security?#5
If your application allows user input to be written as a file of some kind. You should prevent the user from entering PHP code that could then be executed on your server.encode_php_tags() prevents this.

posted date: 2009-04-12 17:10:00

Re: Encoding PHP Tags for Security?#6
This ensures that any PHP code in user input will not be executed if, for example, the application writes the input to a file or passes it to eval(). Or if you just want to write out some PHP code to show the browser.

posted date: 2009-04-12 17:17:00

Re: Encoding PHP Tags for Security?#7
the usage point is clear, your website users have not to write php codes in your forms. if you(re using other XSS preventing methods provided for CI or kohana there(s no necessity to use this.

posted date: 2009-04-12 17:19:00

Re: Encoding PHP Tags for Security?#8
Would you consider htmlspecialchars() or mysqli_real_escape_string() to be purely visual things?

posted date: 2009-04-12 17:28:00

select page: « 1 »
Copyright ©2008-2017 www.momige.com, all rights reserved.