htmlspecialchars and escaping with datatables

htmlspecialchars and escaping with datatables

lyndonwillyndonwil Posts: 40Questions: 5Answers: 0
edited February 2014 in General
Hi Guys

I have a server processed table and i'd like to improve the security. I use htmlspecialchars and have tried to implement it within the server processing php script. whatever i try though, i'm getting parse errors.

Does anyone have any ideas?

[code]
while ( $aRow = mysql_fetch_array( $result ) )
{
$row = array();

$row['DT_RowId'] = 'row_'.$aRow[$sIndexColumn]; //'id replaced with index column LW

//Add Specific Classes for certain tables
if ($_SESSION['tablephpid']=='enquiry' ) {
$row['DT_RowClass'] = $aRow['result'];
}

for ( $i=0 ; $i

Replies

  • tangerinetangerine Posts: 3,365Questions: 39Answers: 395
    [quote]I have tried to add the htmlspecialchars within the echo at the bottom[/quote]
    How?
    And what are the precise "parse errors" you're getting?
  • lyndonwillyndonwil Posts: 40Questions: 5Answers: 0
    i'm using

    [code]htmlspecialchars($json_encode($output), ENT_QUOTES, 'UTF-8');[/code]

    JSON data from server could not be parsed. this is caused by a JSON formatting error
  • lyndonwillyndonwil Posts: 40Questions: 5Answers: 0
    sorry, that should read :

    echo htmlspecialchars(json_encode($output), ENT_QUOTES, 'UTF-8');
  • allanallan Posts: 63,692Questions: 1Answers: 10,500 Site admin
    edited February 2014
    You would be encoding the entire JSON output - including characters such as `"` (to `"` ). Whihc is going to result in invalid JSON - that error means exactly what it says.

    You need to encode each individual component. In the general output line for that code for example.

    Allan
  • tangerinetangerine Posts: 3,365Questions: 39Answers: 395
    ...or look at using something like array_walk() on the $output array. It might be array_map(), I can't remember for sure. PHP sites will have examples of htmlspecialchars with multi-dimensional arrays.
    Incidentally if you're just pulling data from a database htmlspecialchars doesn't have much relevance to security.
  • lyndonwillyndonwil Posts: 40Questions: 5Answers: 0
    thank you for the comments guys.

    i think this is probably a lack of knowledge on my part.. basically, i wanted to stop the user from being able to utilise html within the fields. Ie. if they save a name with bob..

    at the moment, this will show the field in bold within the table. i could stop the user from entering < or > but thought i could do this when processing the php ?
  • allanallan Posts: 63,692Questions: 1Answers: 10,500 Site admin
    Two options - encode it on input or encode it on output. Either way its up to you, but `htmlspecialchars` is the correct function to use in PHP.
  • tangerinetangerine Posts: 3,365Questions: 39Answers: 395
    In the interests of clarity, I meant use htmlspecialchars inside a call to array_walk().
    This link shows examples:
    http://www.hawkee.com/snippet/8641/
This discussion has been closed.