1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 2:58 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

DB To XML

Any Security Issues?

         

kkonline

5:26 pm on Aug 18, 2007 (gmt 0)

10+ Year Member



I am using the following code to extract data from database and convert it to xml format. I am concerned if anything extra which i would be required to do before displaying the data. Any security issues with the code? Because to input data to db we use sql/xss prevention so is there anything similar or different that must be done to prevent any kind of attack. 

<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR); 
?><?php
mysql_select_db($database_conn, $conn);
[b]$query_rsAll = "SELECT * FROM phpnews_news";[/b]
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);
header('Content-type: text/xml');
header('Pragma: public'); 
header('Cache-control: private');
header('Expires: -1');
?><?php echo('<?xml version="1.0" encoding="utf-8"?>');?><root><?php if ($totalRows_rsAll > 0) {?><?php do {?><row><?php foreach ($row_rsAll as $column=>$value) {?> <<?php echo $column;?>><![CDATA[<?php echo $row_rsAll[$column];?>]]></<?php echo $column;?>> <?php }?></row><?php } while ($row_rsAll = mysql_fetch_assoc($rsAll));?><?php }?></root><?php
mysql_free_result($rsAll);
?>

Habtom

6:22 am on Aug 19, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't see any :)

But, I haven noticed you include the connection settings on the top of every page. Is it for the threads purpose or you really do that. It might be difficult for you to maintain it if you have it on every page. Consider putting it on a separate file like config.php and include it on the pages.

<?php
$hostname_conn = "localhost";
$database_conn = "mysql";
$username_conn = "root";
$password_conn = "";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR);
?>

Little tip: Instead of the "*" list the column names, you might be also selecting columns you never use at this case.

$query_rsAll = "SELECT * FROM phpnews_news";

Habtom

kkonline

6:21 am on Aug 21, 2007 (gmt 0)

10+ Year Member



I am working with article manager and don't want & , ; % - ' " to be misprinted also the data should be free from xss attacks as much as possible.

I am extracting data from db and then converting it into XML.

I use
[php]$row_rsAll[$column]=htmlentities($row_rsAll[$column], ENT_NOQUOTES, 'UTF-8');[/php]

in the xml conversion code. Is that fine or should i use htmlspecialchars

My aim is to secure against xss and also the xml data when printed (when article is printed on browser it should not have &at; &quot; &amp)

Or should i use xss specific code written at [svn.bitflux.ch...]
and apply it to$row_rsAll

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 2:58 am May 2, 2026