2

I'm using Flex 3 with remoting to return data from a MySQL database. Do I need to use htmlspecialchars in order to keep my site secure?

As I understand it, htmlspecialchars is used to "sanitize" data returned from the db. For example: 

$query = "SELECT latitude, longitude FROM myTable WHERE type = '$type'";

            $result = mysql_query($query);

            $ret = array();
                 while ($row = mysql_fetch_object($result)) {
                    $tmp = new VOmyData();
                    $tmp->latitude = $row->latitude;
                    $tmp->longitude = $row->longitude;
                    $ret[] = $tmp; 
                        }
                 mysql_free_result($result);

                 return $ret;

How do I use it in the case above? 

return htmlspecialchars($ret);

or do I write: 

$result = htmlspecialchars($result);

or somtheing else?

user229044
  • 232,980
  • 40
  • 330
  • 338
Laxmidi
  • 2,650
  • 12
  • 49
  • 81

1 Answers1

2

htmlspecialchars() is used to sanitize user-supplied input if you're echoing it back to the user, in order to prevent against Cross-Site Scripting (XSS). Additionally, if your DB is storing HTML-formatted strings, and you want to display it to the user (as opposed to having it be interpreted by their browser as HTML), then use htmlspecialchars().

In your case, if the output is just numbers, it's not really necessary.

Dan
  • 2,157
  • 20
  • 24
  • For future reference, it operates on strings, not arrays. Something like `return htmlspecialchars($retString);` – Dan May 23 '11 at 23:18
  • Hi Dan, Thanks for the great info. I actually over simplified my example. In addition to numbers, I also return some strings. Would I need htmlspecialchars in that case? I'm not returning any HTML from the db. Thank you. – Laxmidi May 24 '11 at 13:48
  • If the DB was populated with user-supplied data, you would. (Though this would raise other security issues.) But if it's all your own data, you should be fine without it. – Dan May 24 '11 at 13:50
  • Hi Dan, Thanks so much for the help. None of the data is user supplied, so I should be in good shape. Again, thank you. – Laxmidi May 24 '11 at 14:58