--- Troy S <[EMAIL PROTECTED]> wrote: > What is the best way to remove the characters from strings that may > cause security problems? Namely, `, ', ", <, >, \ and all non-printing > strings. Did I miss any?
As others have mentioned, this is the wrong approach if security is your concern. If someone is supposed to be entering a name, should characters such as $, %, and # be allowed? How about numbers? It's best to only allow valid data rather than bother to try and think of all of the ways invalid data can cause problems. You're sure to miss something. After all, it's basically you versus the world in a game of creativity, and the odds are against you. Also, each type of data will have its own requirements; they're all potentially different. As John mentioned, if people are submitting a post to a forum or something, they might want to be talking about code. In this case, something like htmlentities() will allow them to write code without posing such a risk. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
