I have an “upload_photo.php” script that allows Users to add a “Photo Label” below the Photo they are uploading.
This gets displayed using the TITLE attribute in the IMG tag.
Is there any reason why I would want to restrict what characters can go in the “Photo Label”?
Not sure if this is a possible “Attack Vector” or not?
Thanks,
Debbie
DD,
Why ask when you already know the answer to that?
Of course you’ve heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I’d be picker than that but it’s a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).
Regards,
DK
Also, as you already know apply, htmlentities() to the title when echo’ing to prevent XSS.
If I knew the answers I wouldn’t be wasting my time here… 
Of course you’ve heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I’d be picker than that but it’s a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).
Regards,
DK
I don’t understand what I’m supposed to do with mysqli_real_escape_string…
Debbie
I have to use htmlentities() for ALT and TITLE attributes?! 
Debbie
Yes. See PM.