On Thu, 05 Aug 2004 12:35:59 +0200, Jordi Canals <[EMAIL PROTECTED]> wrote: > John Holmes wrote: > > >> $uservar = htmlspecialchars(strip_tags($uservar)); > > > > You don't need to use strip_tags _and_ htmlspecialchars()... unless you > > want strip_tags to get rid of such malicious and deadly content such as > > <grin> and <wow>. Just use htmlspecialchars(). > > Well, my idea was to apply both: I do not want to get any tag in the > user input and prevent showing the html tags in the later output. For > that I've applied strip_tags() > > To apply htmlspecialchars() after that Is done to convert double quotes, > and ampersand to html entities. Not appliying it has two efects: Strings > with quotes does not show correct in input boxes. Strings with > ampersands do not pass the W3C validator. And just to convert lt and gt > signs when used alones like ... 5 > 2.
htmlspecialchars() shoudl be used for *output*, not for *input*. When you store the data, it should be in pristine format. When you display it in the browser, you should use htmlspecialchars() or htmlentities() to make the browser like it. As for quotes, yes, htmlspecialchars() can deal with them, but for SQL, you should use an SQL quoting mechanism (mysql_real_escape_string()). For HTML output, you should use htmlentities(). > > Just that are my reasons to apply both: Security and get a clean string. > > > > >> $securevar = (magic_quotes_gpc) ? $uservar : addslashes($uservar); > > $securevar = (get_magic_quotes_gpc()) ? $uservar : addslashes($uservar); > > > >> $securevar = $intval($uservar); > > $securevar = intval($uservar); > > Definetly, I should not code as late as night ;) My Samples where plenty > of mistakes :p > > Thanks for your comments, > Jordi > -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
