Hi Richard, thanks again for the detailed reply, I really appreciate you help.

Richard Lynch wrote:
Counting words is almost always a Bad Idea, since you may have users
who use big fat words (University professors and Market-speak) and you
have have texters who, like, don't even use words...
u c ? i mean?
:-v

LOL! Yah, I c ? u mean! :)

Good point. I hope the only person using this form will be me and a few others (will be posting it in a secure location)... Basically I wanted a good way to insert template tags for pagination links (done via my CMS) at specific word counts... Mostly doing this to get well-balanced pages for SEO purposes -- Also, it is hard as heck to visualize well-balanced page breaks.

But you'd have to work pretty hard at it...

Ahh, very interesting. :)

You generally want to call striptags() on the data as it comes in, if
you are not allowing HTML input.  And possibly raise an error if the
original input and the striptags() result don't match, as the user
probably *thought* you were going to accept HTML input...

Oh, kinda reminds me of filtering the comments of a Contact Form... I have used strip tags on the textareas and then compared the strings... This worked well, but I bet most folks do not think they can use HTML when it comes to a comment form (except spammers)... Thanks for pointing this out. :)

Or, don't do striptags at all, and, instead...
<snip>
$text = "Some big long < block o' text > that you have stored in your
DB.";
$url = "http://example.com/var="; . urlencode('nasty & ugly value, eh?');
$text_html = htmlentities($text);
$url_html = htmlentities($url);
echo "<p>$text</p>\n";
echo "<a href=\"$url_html\">$url_html</a>\n";

Sweet! Thanks for the example and the great explanation!

It may seem odd at first, but, really, *ANY* data you send to the
browser as data should have htmlentities() called on it.

That sounds good to me.

The only exception would be if you have data that already has HTML
tags buried in it -- and that's almost always a Bad Idea in the first
place, as it gets really tricky to be sure that you aren't sending out
very broken HTML and XSS-infected HTML and ...  An exception might be
if you generate static HTML and cache that, using the techniques above
to create the static HTML in the first place.

Ahhh, very interesting thought... Many thanks for the detailed reply Richard, it has been extremely helpful to me. :)

I owe you and Tijnema a beer!

Have a great day/night!
Cheers,
Micky

--
Wishlists: <http://snipurl.com/1gqpj>
   Switch: <http://browsehappy.com/>
     BCC?: <http://snipurl.com/w6f8>
       My: <http://del.icio.us/mhulse>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to