Hello everyone I reread the manual again on the topic of backticks and from that I have security / usabilitiy issue.
Here is the issue: When I check formdata from a simple form I use regular expression to make sure the input confirms to certain guidlines before including them into my scripts. Basically this means excluding special character like the above mentioned backticks. Well so far so good. When the input is wrong I'd like to redisplay the wrong input and ask the user to correct these. Now here comes the issue as far as I understand the manual the text inbetween backticks is executed and the output is included in place. This happens when I echo the text out. So if I don't allow backticks in my input field and I want to redisplay that input I execute the code right? Meaning I can'T redisplay the text as the user inputed it. When I use escapeshellcmd to prevent any execution I redisplay the input differently than the users input. This will confuse most users and is not as wished from a usability standpoint. So have I missunderstood the way backticks work or is this an unresolvable issue? Any help greatly appreciated Stefan
