> When using forms, when do I have to worry about cleaning up user data? I > know to use escapeshellarg() when using system functions, but how about > when > using the user data for database inserts? Also, if I do not insert the > data > into the database or use any system commands, do I still need to clean the > data?
If you're going to do anything with it, then you have to validate/clean it. This means using it in a query, writing it to a file, displaying it back to the user, using it in an email, etc. For you're very vague question, I'd have to say the very vague answer is that you have to clean EVERYTHING. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php