Yeah, good catch on the addslash/magic_quote. Also, FYI: PHP will only allow you to do one query per mysql_query(). So you can't try to end a quote and then send another query. Don't know if this is the case for all database functions, or what...
---John Holmes... > -----Original Message----- > From: Sascha Cunz [mailto:[EMAIL PROTECTED]] > Sent: Saturday, September 28, 2002 8:19 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; php- > [EMAIL PROTECTED] > Subject: Re: [PHP] Htmlentities and Newlines? > > > Hi John, > > > > Sorry about the ambiguity. What I'm trying to accomplish is close to > what > > you describe. However, before anything goes into the db (ie html chars, > bad > > commands, or anything from Mr.Hacker), I verify it. Someone suggested, > way > > back when I first started with textarea, to use 'htmlentities' to strip > the > > bad items out. > > > > "You should always save it in the database exactly how the user typed > it." > > > > So far, so good. But, if I follow what you suggest (and it's eminently > > reasonable!) I could have some 'bad stuff' becoming 'resident' in my db. > > Perhaps I am paranoid, but that seems like a-bad-thing-to-do. > > > > "Save it with newlines and don't add any HTML code to it. " > > > > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has added > > some little extras, what then?? I use a Preview mode for viewing what > > thgey've entered, and they must go back to the textarea box if they > need > > to edit (which has exactly what they typed.) > > > > Oh, this all did sense to me a while ago, but I am tired, and it's > > beginning to sound like gibberish . > > > > Thanks again. > > Andre > > > > Things will be alright, if you follow two rules: > > 1. before Output, use htmlentities() to make sure, your text isn't > confused > with HTML (This way noone can insert HTML-Tags into your Text). > > 2. before saving to database, either use addslashes() or turn on > magic_qoutes > in php.ini. (This will ensure, that noone drops your database on the fly. > e.g. Enters something like '; drop database;' into a textarea.) > as i remember magic_qoutes should be turned on by default. > > Don't do anything else with data that goes to your database, or you'll > lose > posibility to edit it later on. > > Regards > Sascha > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
