On Saturday 28 September 2002 08:32 pm, John W. Holmes wrote: > > -----Original Message----- > > From: Andre Dubuc [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, September 28, 2002 8:34 PM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Re: [PHP] Htmlentities and Newlines? > > > > On Saturday 28 September 2002 07:55 pm, John W. Holmes wrote: > > > > Sorry about the ambiguity. What I'm trying to accomplish is close > > to > > > > what > > > > > > > you > > > > describe. However, before anything goes into the db (ie html > > chars, > > > > bad > > > > > > > commands, or anything from Mr.Hacker), I verify it. Someone > > suggested, > > > > way > > > > > > > back when I first started with textarea, to use 'htmlentities' to > > > > > > strip > > > > > > > the > > > > bad items out. > > > > > > It doesn't strip it, it just converts some characters to HTML code. > > > > > > > "You should always save it in the database exactly how the user > > typed > > > > it." > > > > > > > So far, so good. But, if I follow what you suggest (and it's > > eminently > > > > > reasonable!) I could have some 'bad stuff' becoming 'resident' in > > my > > > > db. > > > > > > > Perhaps I am paranoid, but that seems like a-bad-thing-to-do. > > > > > > Yes. The key is to display it with htmlentities(). Never display it > > > directly. > > > > > > > "Save it with newlines and don't add any HTML code to it. " > > > > > > > > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has > > > > > > added > > > > > > > some > > > > little extras, what then?? I use a Preview mode for viewing what > > > > > > thgey've > > > > > > > entered, and they must go back to the textarea box if they need > > to > > > > edit > > > > > > > (which has exactly what they typed.) > > > > > > Again, you don't have to worry what's in there, as long as you > > display > > > > it correctly. > > > > > > Now, if you know that these entries aren't going to be edited, then > > you > > > > can do the conversion and save that. Unfortunately, there is no > > > "reversal" to htmlentities. So, you can't run htmlentities on the > > text > > > > and then hope to display it back to the user for editing. A < will > > be > > > > <, and if you submit that and run html entities again, you'll > > have > > > > &lt;. See where the problem is? > > > > > > So, basically, as long as your displaying the text correctly, use > > the > > > > conversions when you display it. If you don't need to edit the text, > > run > > > > the conversion before you put it in your database. > > > > > > Anyone disagree? > > > > > > ---John Holmes... > > > > Thanks John, > > > > It appears I was doing it 'somewhat' correctly since I haven't run > > into > > > the > > one-time-only problem with htmlentities. However, as I am only > > displaying > > > the > > text in Preview Mode, when they click 'Back' on their browser, they'll > > see > > > what they had just typed in. So, if they correct it, and click > > Preview, > > > it'll > > be a new process since the old 'Preview was not saved to session, but > > is a > > > 'new' post (the old Preview was destroyed.) > > > > Still, since I'm pulling the saved info from the db, iterating through > > all > > > rows, and displaying it in table format, I can't get the linebreaks to > > display. Here's the 'code' that displays the info: > > > > <?php > > /* db access using postgresql - each row is displayed */ > > ... > > <tr><td>{$myrow['request']}</td></tr> > > ... > > ?> > > I assume that's being echo'd or something, like this? > > echo "<tr><td>{$myrow['request']}</td></tr>"; > > Then, you'd have to do this: > > Echo "<tr><td>" . nl2br(htmlentities($myrow['request'])) . "</td></tr>"; > > Does that clear it up? > > ---John Holmes...
Well, if it works. I just assumed you couldn't manipulate this line. I'm not thinking too clearly -- long day since 6 am! Thanks John, Sascha, & Dan. Regards, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
