Hi, No problems with my code but instead I'd like some views on the best way of doing the following:
When I read in a text field from a users HTML form, I will allow them a maximum of say 50 characters. So, I define the corresponding field in MySQL to be VARCHAR(50). The problem is that after I run it through htmlspecialchars() the size could have increased considerably, if there were for example 5 characters that got escaped, this would mean possibly an extra 25 characters to the original meaning it would be truncated considerably. One option is to store the input without using htmlspecialchars, and then when I display the information wrap the output in htmlspecialchars. I don't like this though as I've got several text fields which will be hit very often, it seems too much of a performance penalty. The other option is to str_replace($text, '<', '') so this gets round people embedding Javascript and other HTML but means non-malicious less-than characters would be lost, however I would only need to use htmlspecialchars when outputting to an input box, not just as plain text, so not so much a performance penalty as the first option. How do you guys go about resolving this situation? Thanks for any input, Jim. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php