mrdayganteng
New Member
I'm currently using the following line in one of my projects:\[code\]htmlspecialchars($value,ENT_QUOTES,'UTF-8');\[/code\]Thus it encodes &, ', ", <,> . My question there is (as for some internal coding reasons I'm contemplating it) there any security risk involved with not encoding & ?Thus if using the following line would generate a security risk/leak:\[code\]$value=http://stackoverflow.com/questions/14067172/str_replace('&','&',$value);\[/code\]For <,>,'," it is perfectly clear to me WHY they should be encoded as they could be used for html injection. But & I don't see a reason (nor did I find any special reason there so far).EDIT:As database access was mentioned a few times. I'm using doctrine there with parameters,... so the database should be (relatively) save from SQL injections. The above conversion was solely made to prevent html injections, but currently as most of the data lands in fields created by extJS,... the "&" conversion gets in the way there as in the textfield \[code\]&\[/code\] is displayed instead of \[code\]&\[/code\]. Sadly because of an architectural error I can only do the whole htmlspecialchars and str_replace part at one and only one location (if I do it at all). And there I can't differentate. Thus also my question there in regards to the \[code\]&\[/code\].