Why not just use htmlentities() and striptags() on the user input? I prefer to just use htmlentities() and that's it. Any code the user tries to type in is just converted to html codes and ends up being displayed in the browser exactly as they typed it. None of their code is evaluated though.
---John Holmes... > -----Original Message----- > From: Andre Dubuc [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 28, 2002 5:37 PM > To: Miguel Cruz > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] 'ucfirst' function for text area strings? > > On Tuesday 28 May 2002 02:19 pm, you wrote: > > On Tue, 28 May 2002, Andre Dubuc wrote: > > > Is there a way to get a function similar to 'ucfirst' to work with the > > > first letters of a set of strings in textarea strings? > > > > > > ****************************************************** > > > Inputted strings: > > > > > > "hi. i hope there is one. any ideas?" > > > > > > Should appear: > > > "Hi. I hope there is one. Any ideas?" > > > > > > ****************************************************** > > > > > > Would it be possible to do a 'foreach' 'ucfirst' type of statement > while > > > reading a string and breaking it apart at punctuation marks? > > > > What are you going to do about abbreviations? > > > > "The General Electric Corp. was represented at the meeting." > > > > miguel > > > > Hi Miguel, > > Well, I've discovered that using 'textarea' is a real pain. The usual > validation checks don't work since there can be more than one string in > whatever has been typed there. My nifty > 'checkHtmlCommandsRottenwordsAndOther > Garbage' sort of looks at whatever is in the text area and says, 'Uh, huh > -- > right. . . . Passed' no matter what I do. I've tried ereg, eregi, > preg_match_all, explode, but the effect is the same. > > Unfortunately, this 'textarea' is one area on the site where the user can > input the most. Therefore, it's the most vulnerable. So, how do others > validate 'textarea' inputs? . . . Man, this is annoying! > > I've tried the 'foreach' but it chokes on the $_SESSION['rap'] , so I > tried > $rap = $_SESSION['rap']; just to make things easier. To be honest, at this > point, I'd be happy to just validate that no 'evildoers' stuff has > been typed into the 'textarea'. But as it stands now, it's pretty well > open. > So, abbreviations -- that's not really an issue at this point-- I only > wanted > the first letter of each sentence capitalized. If the user wants his/her > aBbrEvatIoNs looking ugly -- that's fine by me. Perhaps, if I can get the > basic validations done, I'll tackle the interior stuff as well. > > Any ideas on how to handle textarea inputs? I'd really apprecaite some > advice > on how to proceed at this point. > > Btw here's what I've tried before, and it works everywhere else except for > textarea's: > > ************************************************************************ ** > ****************************** > // 'rap' is the textarea input > > $_SESSION['rap'] = $_POST['rap']; > $rap = $_SESSION['rap'] > > if > (eregi("<([^>]|\n)*>|/<SCRIPT.*?<\/SCRIPT>/ims|onClick|onLoad|onDblClick | > onDragStart|onKeyDown|onKeyPress|onKeyUp|onMouseDown|onMouseMove| > onMouseOut|MouseOver|SelectStart|Blur|Focus|Scroll|onMouseOver|onSelectS ta > rt|onBlur| > onFocus|Scroll|SCRIPT|script|Select|Unload|Change||DELETE|rm|mkdir|COPY| > CREATE|UPDATE|WHERE|AS|FROM|POST|INSERT|INTO|while", $rap)); > {header("location:out.php");} > > $rap = ucfirst($rap); > > // set it back to session variable > $_SESSION['rap] = $rap; > > ************************************************************************ ** > ******************************* > > > Tia, Andre > > > - - > Please pray the Holy Rosary to end the holocaust of abortion. > Remember in your prayers the Holy Souls in Purgatory. > > May God bless you abundantly in His love! > For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
