> Sorry about the ambiguity. What I'm trying to accomplish is close to
> you
> describe. However, before anything goes into the db (ie html chars,
> commands, or anything from Mr.Hacker), I verify it. Someone suggested,
> back when I first started with textarea, to use 'htmlentities' to
> the
> bad items out.

It doesn't strip it, it just converts some characters to HTML code.
> "You should always save it in the database exactly how the user typed
> So far, so good. But, if I follow what you suggest (and it's eminently
> reasonable!) I could have some 'bad stuff' becoming 'resident' in my
> Perhaps I am paranoid, but that seems like a-bad-thing-to-do.

Yes. The key is to display it with htmlentities(). Never display it

> "Save it with newlines and don't add any HTML code to it. "
> Ahh . . . if I save as the user typed it, assuming Mr. Hacker has
> some
> little extras, what then?? I use a Preview mode for viewing what
> entered, and they must go back  to the textarea box if they need to
> (which has exactly what they typed.)

Again, you don't have to worry what's in there, as long as you display
it correctly. 

Now, if you know that these entries aren't going to be edited, then you
can do the conversion and save that. Unfortunately, there is no
"reversal" to htmlentities. So, you can't run htmlentities on the text
and then hope to display it back to the user for editing. A < will be
&lt;, and if you submit that and run html entities again, you'll have
&amp;lt;. See where the problem is?

So, basically, as long as your displaying the text correctly, use the
conversions when you display it. If you don't need to edit the text, run
the conversion before you put it in your database. 

Anyone disagree?

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to