> Hi John, > > Sorry about the ambiguity. What I'm trying to accomplish is close to what > you describe. However, before anything goes into the db (ie html chars, bad > commands, or anything from Mr.Hacker), I verify it. Someone suggested, way > back when I first started with textarea, to use 'htmlentities' to strip the > bad items out. > > "You should always save it in the database exactly how the user typed it." > > So far, so good. But, if I follow what you suggest (and it's eminently > reasonable!) I could have some 'bad stuff' becoming 'resident' in my db. > Perhaps I am paranoid, but that seems like a-bad-thing-to-do. > > "Save it with newlines and don't add any HTML code to it. " > > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has added > some little extras, what then?? I use a Preview mode for viewing what > thgey've entered, and they must go back to the textarea box if they need > to edit (which has exactly what they typed.) > > Oh, this all did sense to me a while ago, but I am tired, and it's > beginning to sound like gibberish . > > Thanks again. > Andre >
Things will be alright, if you follow two rules: 1. before Output, use htmlentities() to make sure, your text isn't confused with HTML (This way noone can insert HTML-Tags into your Text). 2. before saving to database, either use addslashes() or turn on magic_qoutes in php.ini. (This will ensure, that noone drops your database on the fly. e.g. Enters something like '; drop database;' into a textarea.) as i remember magic_qoutes should be turned on by default. Don't do anything else with data that goes to your database, or you'll lose posibility to edit it later on. Regards Sascha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
