On Saturday 28 September 2002 07:55 pm, John W. Holmes wrote:
> > Sorry about the ambiguity. What I'm trying to accomplish is close to
>
> what
>
> > you
> > describe. However, before anything goes into the db (ie html chars,
>
> bad
>
> > commands, or anything from Mr.Hacker), I verify it. Someone suggested,
>
> way
>
> > back when I first started with textarea, to use 'htmlentities' to
>
> strip
>
> > the
> > bad items out.
>
> It doesn't strip it, it just converts some characters to HTML code.
>
> > "You should always save it in the database exactly how the user typed
>
> it."
>
> > So far, so good. But, if I follow what you suggest (and it's eminently
> > reasonable!) I could have some 'bad stuff' becoming 'resident' in my
>
> db.
>
> > Perhaps I am paranoid, but that seems like a-bad-thing-to-do.
>
> Yes. The key is to display it with htmlentities(). Never display it
> directly.
>
> > "Save it with newlines and don't add any HTML code to it. "
> >
> > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has
>
> added
>
> > some
> > little extras, what then?? I use a Preview mode for viewing what
>
> thgey've
>
> > entered, and they must go back to the textarea box if they need to
>
> edit
>
> > (which has exactly what they typed.)
>
> Again, you don't have to worry what's in there, as long as you display
> it correctly.
>
> Now, if you know that these entries aren't going to be edited, then you
> can do the conversion and save that. Unfortunately, there is no
> "reversal" to htmlentities. So, you can't run htmlentities on the text
> and then hope to display it back to the user for editing. A < will be
> <, and if you submit that and run html entities again, you'll have
> &lt;. See where the problem is?
>
> So, basically, as long as your displaying the text correctly, use the
> conversions when you display it. If you don't need to edit the text, run
> the conversion before you put it in your database.
>
> Anyone disagree?
>
> ---John Holmes...
Thanks John,
It appears I was doing it 'somewhat' correctly since I haven't run into the
one-time-only problem with htmlentities. However, as I am only displaying the
text in Preview Mode, when they click 'Back' on their browser, they'll see
what they had just typed in. So, if they correct it, and click Preview, it'll
be a new process since the old 'Preview was not saved to session, but is a
'new' post (the old Preview was destroyed.)
Still, since I'm pulling the saved info from the db, iterating through all
rows, and displaying it in table format, I can't get the linebreaks to
display. Here's the 'code' that displays the info:
<?php
/* db access using postgresql - each row is displayed */
...
<tr><td>{$myrow['request']}</td></tr>
...
?>
Now unless I can do something like:
<tr><td>'nl2br({$myrow['request']}'</td></tr>
(Unfortunately, in the db the linebreaks appear as whitespaces (no \n or
<br>). I'm sort of sunk. Somehow, that syntax looks like it won't work.
Thanks for the advice,
Andre
.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
