$db->setQuery($query);
$row = $db->loadAssoc();
if( $db->getNumRows() !== 1 )
{
// handle unexpected query result
}
XSS (Cross Site Scripting)
XSS is the use of scripts that are executed client side that take advantage of the user's
local rights. These attacks normally take the form of JavaScript. Another, slightly less
common, form of XSS attack uses specially crafted images that execute code on the
client; a good example of this is a Microsoft security flaw that was reported in 2004
(http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx).
When we use JRequest::getVar() we automatically strip out XSS code, unless we
use the JREQUEST_ALLOWRAW mask. We generally use this mask when dealing with
large text fields that use are rendered using an editor; if we do not, valuable XHTML
formatting data will be lost.
When we use the JREQUEST_ALLOWRAW mask we need to think carefully about
how we process the data. When rendering the data remember to use the PHP
htmlspecialchars() function or the static JOutput class to make the data safe for
rendering in an XHTML page.
Pages:
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460