> Hi John,
> Sorry about the ambiguity. What I'm trying to accomplish is close to what
> you describe. However, before anything goes into the db (ie html chars, bad
> commands, or anything from Mr.Hacker), I verify it. Someone suggested, way
> back when I first started with textarea, to use 'htmlentities' to strip the
> bad items out.
> "You should always save it in the database exactly how the user typed it."
> So far, so good. But, if I follow what you suggest (and it's eminently
> reasonable!) I could have some 'bad stuff' becoming 'resident' in my db.
> Perhaps I am paranoid, but that seems like a-bad-thing-to-do.
> "Save it with newlines and don't add any HTML code to it. "
> Ahh . . . if I save as the user typed it, assuming Mr. Hacker has added
> some little extras, what then?? I use a Preview mode for viewing what
> thgey've entered, and they must go back  to the textarea box if they need
> to edit (which has exactly what they typed.)
> Oh, this all did sense to me a while ago, but I am tired, and it's
> beginning to sound like gibberish .
> Thanks again.
> Andre

Things will be alright, if you follow two rules:

1. before Output, use htmlentities() to make sure, your text isn't confused 
with HTML (This way noone can insert HTML-Tags into your Text).

2. before saving to database, either use addslashes() or turn on magic_qoutes 
in php.ini. (This will ensure, that noone drops your database on the fly. 
e.g. Enters something like '; drop database;' into a textarea.)
as i remember magic_qoutes should be turned on by default.

Don't do anything else with data that goes to your database, or you'll lose 
posibility to edit it later on.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to