On 01/25/2011 02:36 PM, Donovan Brooke wrote:
> Hello,
> I don't yet have a complete understanding of string encodings for the
> various environments they may need to pass through or be in. I have
> found bits and pieces within Larry's book, the online docs, and by
> googling... and
> my app seems to be working fine, but I don't yet feel confident on "best
> practices". So, I thought I'd see if I could spark some feedback to  the
> following:
> 1.) Saving strings to a database

Just use the proper escaping and save what is received:
example:  mysql_real_escape_string() or a addcslashes() for DBs without
a comparable function or preg_replace() for those that escape differently:

If you definitely don't want certain things then strip them:

If you may need it then leave it.

> 2.) print/echo'ing string fields from a database.
>     a. Allowing HTML?
>     b. Not allowing HTML?

Depends on whether you want to render HTML.  If so, and you can trust it
(you or a trusted source entered it) then do nothing.  Otherwise if you
want to show the HTML as source tags then:

If you don't want it then strip it before insert or when displaying,
your call:

> 3.) print/echo'ing string fields into form textareas.

The textarea prevents HTML inside from being rendered and the form
submit should automatically URL encode the data in the textarea so I
don't see the need to do anything.

> 4.) Simply encoding strings to send over a GET request.

Encode the values that you intend to pass:

> 5.) Simply displaying strings from the $_REQUEST array.

If you want to maybe show some HTML as source tags then:

If you don't want HTML then strip it when displaying:

> 6.) string encoding for redirects

Same as #4.

BTW, these are very nice for working with data:



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to