I found this post today by Miles Baker about how to create custom landing pages using PHP. At the end of the article he suggests using HTMLSpecialChars to protect yourself. While generally, that’s correct if you know every place you will be outputting code is within the HTML constructs, it’s really not fool proof. I’m really not sure why this function even exists since it doesn’t do what people want it to do. It only works in some very specific circumstances.
In the case of parameter injection it only works if the user is encapsulated within double quotes (not single quotes) and even then that the page itself isn’t vulnerable to variable width encoding issues or other character issues. Maybe it’s me but can anyone tell me why this function exists or at minimum it doesn’t escape single quotes grave accents and prefferably updated to take into account charsets? I think PHP would be safer, and the amount of code it would break would be minimal, compared to how many sites are vulnerable due to ignorance of what the function actually does and doesn’t protect against.