A new project abounds…
Following a shout-out from a classmate, I’ve had a look at his Flash / PHP e-mail script.
While not being too bad a prospect, it didn’t work, sadly because of ini_set being used incorrectly: an “unexpected” encapsulated string was on line 10…
Unfortunately, he had also neglected to make use of PHP’s many built-in text-editing functions; particularly those that can help quash cross-site and injection attacks.
Following use of htmlspecialchars, any given text is operated on to encode any of the following:
- Less-than and greater-than signs;
- Ampersands (quite useful for encoding URLs, as recommended by PHP.net);
- Single and Double quote-marks (as long as the correct parameter is set)
However, for a more blanketed approach, perhaps htmlentities would have been better…
Having found the marvellous PHPSec, I think their guide (with admittedly a much wider catchment) to the same subject is a very good read! Go find:
http://phpsec.org/projects/guide/1.html