when storing, use mysql_real_escape_string (or equiv for what ever db)
eg,
$query = 'insert into table set
field=\''.mysql_real_escape_string($valuefromuser).'\', set field2=...
when displaying user input (not matter where from), use htmlentities()
eg,
echo htmlentities($string_from_db);
--
Lou
On Fri, 27 May 2005 11:59:53 +0100
symbulos <[EMAIL PROTECTED]> wrote:
> Dear friends,
>
> we are using php for developing a small tool for uploading files for
> download
> (publications). Using the usual move_uploaded_file, the publications
> are loaded into a directory where the webserver can
Hi all,
Say you get some text field from a user and store it in a database. Then
later you display this input. If the user has coded html in the actual
input, without running this through some kind of parsing function, it could
give you some odd results.
For example, say the user types in, a
