> I'd like to canvas opinions about what's needed to clean user input. I'm > using an HTML form where users enter simple things like name and phone > number, but also a couple of small text areas for address and a message > (up > to 50 words or so). > > How would people recommend cleaning this data when it's received (via > $_POST) in the next page? Some fields (like email) I can check against a > template using ereg(), but the text areas pose more of a problem. I assume > running strip_tags() might be a wise precaution, and maybe also > htmlentities(). Anything else?
For a textarea, apply htmlentities() before you save it in the database. This will let you safely display it on a web page and re-display it in another textarea for further editing. If you need to use the data in an email or file, then only apply htmlentities() when you display the data on a web page, not when you save it in the database. Bottom line, as you hopefully know, VALIDATE EVERYTHING! ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
