Hi,
No problems with my code but instead I'd like some views on the best way of
doing the following:
When I read in a text field from a users HTML form, I will allow them a
maximum of say 50 characters. So, I define the corresponding field in MySQL
to be VARCHAR(50). The problem is that after I run it through
htmlspecialchars() the size could have increased considerably, if there were
for example 5 characters that got escaped, this would mean possibly an extra
25 characters to the original meaning it would be truncated considerably.
One option is to store the input without using htmlspecialchars, and then
when I display the information wrap the output in htmlspecialchars. I don't
like this though as I've got several text fields which will be hit very
often, it seems too much of a performance penalty. The other option is to
str_replace($text, '', '') so this gets round people embedding Javascript
and other HTML but means non-malicious less-than characters would be lost,
however I would only need to use htmlspecialchars when outputting to an
input box, not just as plain text, so not so much a performance penalty as
the first option.
How do you guys go about resolving this situation?
Thanks for any input,
Jim.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
