> I'm cooking tothether a tiny php html editor right now, (textarea kind
> of thing). To treat the text properly I need to encode characters like
> '"', '<', '>', and friends into something that doesn't confuse the
> browser.

Htmlentities() or htmlspecialchars()
> By the way, do you think encoding and decoding special characters like
> this may replace addslashes() and stripslashes()? The html pages will
> be stored in a MySQL database.

No. There is no HTML entity for the single quote, so those will remain
unchanged. If you use all double quotes for string delimiters in your
queries, then you could skip addslashes(). 
> Also, addslashes() will reduce the chance of bad stuff being passed to
> MySQL. But is there a function which stops client-side scripts in
> whatever is entered by the user?

No, not really. Using strip_tags() or htmlentities() is the best way to
go on user data. It will prevent the HTML or JS that's in the input from
being evaluated.

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to