PHP - security etc

Andy Armstrong andy at
Wed Mar 7 16:26:28 GMT 2007

On 7 Mar 2007, at 16:15, Dominic Mitchell wrote:
> I disagree.  Not only does PHP not make it easy to be secure, it makes
> it actively hard to be correct as far as I can see...  For example,
> requiring you to call htmlspecialchars() on every string that ends  
> up in
> the page is completely inexcusable in order to avoid XSS attacks.

I don't understand this. If the string contains HTML you don't want  
to escape it. If it contains plain text that you want to HTML escape  
then /of course/ you have to escape it.

Andy Armstrong,

More information about the mailing list