On Sun, 2010-03-14 at 12:14 +0100, Rene Veerman wrote: > > > > On Sun, Mar 14, 2010 at 11:16 AM, Ashley Sheridan > <a...@ashleysheridan.co.uk> wrote: > > > > > That function won't always work. You're using a PHP version > check for mysql_real_escape_string() when the most likely > failure point for it is if no database connection has been > opened. > > > I never call it without an open db connection.. > > > Also, you shouldn't strip the tags from a string that's being > inserted into the database. strip_tags() is for the display of > data on a web page. It's best practice not to alter the actual > data you've stored but to convert it once it's displayed. > Don't forget that the browser display may not be the only use > for that data. > > > > Let's call that a coder's / payer's preference.. > > If i'd need human text, i'd want to strip it of computer code before > it enters the db. Possibly log the attempt to insert code. > > > >
I have to deal with a lot of CMS's, so I expect the users to enter some HTML code through a rich-text editor, and they expect to be able to. Aside from that, it's good to have a complete copy of the code a user attempted to insert, to see the methodology of an attack should it ever occur. Thanks, Ash http://www.ashleysheridan.co.uk
