> -----Original Message-----
> From: Andre Dubuc [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, September 28, 2002 8:34 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [PHP] Htmlentities and Newlines?
>
> On Saturday 28 September 2002 07:55 pm, John W. Holmes wrote:
> > > Sorry about the ambiguity. What I'm trying to accomplish is close
to
> >
> > what
> >
> > > you
> > > describe. However, before anything goes into the db (ie html
chars,
> >
> > bad
> >
> > > commands, or anything from Mr.Hacker), I verify it. Someone
suggested,
> >
> > way
> >
> > > back when I first started with textarea, to use 'htmlentities' to
> >
> > strip
> >
> > > the
> > > bad items out.
> >
> > It doesn't strip it, it just converts some characters to HTML code.
> >
> > > "You should always save it in the database exactly how the user
typed
> >
> > it."
> >
> > > So far, so good. But, if I follow what you suggest (and it's
eminently
> > > reasonable!) I could have some 'bad stuff' becoming 'resident' in
my
> >
> > db.
> >
> > > Perhaps I am paranoid, but that seems like a-bad-thing-to-do.
> >
> > Yes. The key is to display it with htmlentities(). Never display it
> > directly.
> >
> > > "Save it with newlines and don't add any HTML code to it. "
> > >
> > > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has
> >
> > added
> >
> > > some
> > > little extras, what then?? I use a Preview mode for viewing what
> >
> > thgey've
> >
> > > entered, and they must go back to the textarea box if they need
to
> >
> > edit
> >
> > > (which has exactly what they typed.)
> >
> > Again, you don't have to worry what's in there, as long as you
display
> > it correctly.
> >
> > Now, if you know that these entries aren't going to be edited, then
you
> > can do the conversion and save that. Unfortunately, there is no
> > "reversal" to htmlentities. So, you can't run htmlentities on the
text
> > and then hope to display it back to the user for editing. A < will
be
> > <, and if you submit that and run html entities again, you'll
have
> > &lt;. See where the problem is?
> >
> > So, basically, as long as your displaying the text correctly, use
the
> > conversions when you display it. If you don't need to edit the text,
run
> > the conversion before you put it in your database.
> >
> > Anyone disagree?
> >
> > ---John Holmes...
>
>
> Thanks John,
>
> It appears I was doing it 'somewhat' correctly since I haven't run
into
> the
> one-time-only problem with htmlentities. However, as I am only
displaying
> the
> text in Preview Mode, when they click 'Back' on their browser, they'll
see
> what they had just typed in. So, if they correct it, and click
Preview,
> it'll
> be a new process since the old 'Preview was not saved to session, but
is a
> 'new' post (the old Preview was destroyed.)
>
> Still, since I'm pulling the saved info from the db, iterating through
all
> rows, and displaying it in table format, I can't get the linebreaks to
> display. Here's the 'code' that displays the info:
>
> <?php
> /* db access using postgresql - each row is displayed */
> ...
> <tr><td>{$myrow['request']}</td></tr>
> ...
> ?>
I assume that's being echo'd or something, like this?
echo "<tr><td>{$myrow['request']}</td></tr>";
Then, you'd have to do this:
Echo "<tr><td>" . nl2br(htmlentities($myrow['request'])) . "</td></tr>";
Does that clear it up?
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
