John Holmes wrote:
$uservar = htmlspecialchars(strip_tags($uservar));
You don't need to use strip_tags _and_ htmlspecialchars()... unless you want strip_tags to get rid of such malicious and deadly content such as <grin> and <wow>. Just use htmlspecialchars().
Well, my idea was to apply both: I do not want to get any tag in the user input and prevent showing the html tags in the later output. For that I've applied strip_tags()
To apply htmlspecialchars() after that Is done to convert double quotes, and ampersand to html entities. Not appliying it has two efects: Strings with quotes does not show correct in input boxes. Strings with ampersands do not pass the W3C validator. And just to convert lt and gt signs when used alones like ... 5 > 2.
Just that are my reasons to apply both: Security and get a clean string.
$securevar = (magic_quotes_gpc) ? $uservar : addslashes($uservar);$securevar = (get_magic_quotes_gpc()) ? $uservar : addslashes($uservar);
$securevar = $intval($uservar);$securevar = intval($uservar);
Definetly, I should not code as late as night ;) My Samples where plenty of mistakes :p
Thanks for your comments, Jordi
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
