That's useful stuff, thanks - and thanks to other respondents. My main concerns are to avoid junk in the database (and on-screen messages) and to avoid dangerous and malicious postings, like the one Justin outlined below (so I guess strip_tags is a major step there). What I have in mind, then, is:
Use a foreach loop to run through all posted data and perform the following on each item: - strip_tags() - trim() I'll be saving this stuff to a database, so I'll keep htmlentities for the display stage. Also, on a field-by-field basis (depending on what it holds): - check not empty - check length - check against allowable characters & formats I'm still battling with the whole escaped characters business. My hosting supplier has magic quotes turned on, so on the page that receives the data from the form, I run the $_POST variables through stripslashes(). And yet the slashes are still there - eg, in front of apostrophes. Perhaps they've been escaped twice for some reason. I take them out because the data is going to be POSTed again before being written to the database. I guess I need to experiment more. "Justin French" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] <snip> > BTW: Allowing some tags with striptags() offers are great security risk: > > let's say you allow <b> tags -- then I can go: > > <b onmouseover'javascript:window.close();'>hahahaha</b> -- not good!! <snip> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
