On Saturday 28 September 2002 08:19 pm, Sascha Cunz wrote:
> > Hi John,
> >
> > Sorry about the ambiguity. What I'm trying to accomplish is close to what
> > you describe. However, before anything goes into the db (ie html chars,
> > bad commands, or anything from Mr.Hacker), I verify it. Someone
> > suggested, way back when I first started with textarea, to use
> > 'htmlentities' to strip the bad items out.
> >
> > "You should always save it in the database exactly how the user typed
> > it."
> >
> > So far, so good. But, if I follow what you suggest (and it's eminently
> > reasonable!) I could have some 'bad stuff' becoming 'resident' in my db.
> > Perhaps I am paranoid, but that seems like a-bad-thing-to-do.
> >
> > "Save it with newlines and don't add any HTML code to it. "
> >
> > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has added
> > some little extras, what then?? I use a Preview mode for viewing what
> > thgey've entered, and they must go back to the textarea box if they need
> > to edit (which has exactly what they typed.)
> >
> > Oh, this all did sense to me a while ago, but I am tired, and it's
> > beginning to sound like gibberish .
> >
> > Thanks again.
> > Andre
>
> Things will be alright, if you follow two rules:
>
> 1. before Output, use htmlentities() to make sure, your text isn't confused
> with HTML (This way noone can insert HTML-Tags into your Text).
>
> 2. before saving to database, either use addslashes() or turn on
> magic_qoutes in php.ini. (This will ensure, that noone drops your database
> on the fly. e.g. Enters something like '; drop database;' into a textarea.)
> as i remember magic_qoutes should be turned on by default.
>
> Don't do anything else with data that goes to your database, or you'll lose
> posibility to edit it later on.
>
> Regards
> Sascha
Hi Sascha,
Short question: following your advice, what would the data look like in the
db if I typed in:
Hi Sascha.
Next line is doubled.
Double.
How would that appear iun the db? In mine, it looks exactly like I typed it
above (using 1 & 2 with magic_quotes=on).
Regards,
Andre
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
