Sample code:
<?php // Safe $comments = $_POST['comments']; $comments = htmlentities( $comments ); echo $comments; ?>
<?php // Very unsafe: $comments = $_POST['comments']; echo $comments; ?>
--Dave
Jacob Albretsen wrote:
I need advice from people smarter than me. This web page I maintain for a friend has a bunch of email addresses on it. I know, I know, spam. I warned them, they wanted it that way.
So now 6 months later, they get spam and want a solution so it doesn't get worse. So, I started making them a form that people could use and so I could learn more about the mail() function to send messages online.
My thoughts go back to a UUG meeting when Dave Smith was showing us a similar application, only with a database, and the quick thinkers in the group showed us why security is needed by making pop up Javascript windows on Dave's demo blog.
So there is this function called strip_tags() which I tested and appears to work. My question is, is strip_tags() enough to prevent potential abuse, or is there something else I need to put in there to make it even better?
Thanks.
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
