Re: [PHP] Cleaning user data

2003-03-20 Thread rotsky
That's useful stuff, thanks - and thanks to other respondents. My main concerns are to avoid junk in the database (and on-screen messages) and to avoid dangerous and malicious postings, like the one Justin outlined below (so I guess strip_tags is a major step there). What I have in mind, then,

Re: [PHP] Cleaning user data

2003-03-20 Thread CPT John W. Holmes
--- John W. Holmes [EMAIL PROTECTED] wrote: I disagree. I think stripping HTML from my text is a horrible thing. If I want to put a b in my text, then use htmlentities() and show me a b when I look at it. Obviously you don't want to evaluate HTML, but the end result should be that I

Re: [PHP] Cleaning user data

2003-03-20 Thread Chris Shiflett
--- CPT John W. Holmes [EMAIL PROTECTED] wrote: You don't want to do matching like you've shown, though. If I put a b on my page with no /b, then it's going to make everything on the entire page following my post bold. Well, my example was simplified. If the user's data is contained in a table

Re: [PHP] Cleaning user data

2003-03-20 Thread Leif K-Brooks
My BBCode class takes care of unended tags, and much more. Have a look at http://www.phpclasses.org/browse.html/package/951.html. Chris Shiflett wrote: I still fail to see how BB code helps in any way, since you have to make these same considerations. But, like I said, maybe I'm missing

Re: [PHP] Cleaning user data

2003-03-20 Thread Chris Shiflett
--- Leif K-Brooks [EMAIL PROTECTED] wrote: My BBCode class takes care of unended tags, and much more. Have a look at http://www.phpclasses.org/browse.html/package/951.html. You have to log in to view any source on that site (or so it seems), so no thanks. Unended tags are easy enough to

RE: [PHP] Cleaning user data

2003-03-20 Thread John W. Holmes
I still fail to see how BB code helps in any way, since you have to make these same considerations. But, like I said, maybe I'm missing something. :-) I agree pretty much. The only way it helps is that it's easier for people to pick up, however slightly. Instead of explaining to people to use

[PHP] Cleaning user data

2003-03-19 Thread rotsky
I'd like to canvas opinions about what's needed to clean user input. I'm using an HTML form where users enter simple things like name and phone number, but also a couple of small text areas for address and a message (up to 50 words or so). How would people recommend cleaning this data when it's

Re: [PHP] Cleaning user data

2003-03-19 Thread Pete James
It really depends on what you what to do with the data. For instance, if you want to insert into a database, you'll want to run addslashes() on it, or some other such quoting. If you wnat to use the data as a forum post or comment, etc, you'll want to strip the html out of it with strip_tags()

RE: [PHP] Cleaning user data

2003-03-19 Thread John W. Holmes
I'd like to canvas opinions about what's needed to clean user input. I'm using an HTML form where users enter simple things like name and phone number, but also a couple of small text areas for address and a message (up to 50 words or so). How would people recommend cleaning this data when

Re: [PHP] Cleaning user data

2003-03-19 Thread olinux
You can also use basic functions like is_numeric() [to make sure the value is numeric - duh] or a custom function to do something like check for a valid email address format. I have a news site that explodes the URL to get values for the directory/article it is supposed to display. since the

Re: [PHP] Cleaning user data

2003-03-19 Thread Justin French
The first rule is to NEVER rely on anything that they give you, or any of the security precautions in your form code, because someone can always creat a less-secure form which posts to the same script. So, whilst maxlength='4' for a year select thing is great, you should check at the other end

RE: [PHP] Cleaning user data

2003-03-19 Thread John W. Holmes
And yes, definitely striptags(), and follow the advice on the rest of the thread. I disagree. I think stripping HTML from my text is a horrible thing. If I want to put a b in my text, then use htmlentities() and show me a b when I look at it. Obviously you don't want to evaluate HTML, but the

Re: [PHP] Cleaning user data

2003-03-19 Thread Justin French
on 20/03/03 3:53 PM, John W. Holmes ([EMAIL PROTECTED]) wrote: And yes, definitely striptags(), and follow the advice on the rest of the thread. I disagree. I think stripping HTML from my text is a horrible thing. If I want to put a b in my text, then use htmlentities() and show me a b

RE: [PHP] Cleaning user data

2003-03-19 Thread Chris Shiflett
--- John W. Holmes [EMAIL PROTECTED] wrote: I disagree. I think stripping HTML from my text is a horrible thing. If I want to put a b in my text, then use htmlentities() and show me a b when I look at it. Obviously you don't want to evaluate HTML, but the end result should be that I should see