> Sorry about the ambiguity. What I'm trying to accomplish is close to what > you > describe. However, before anything goes into the db (ie html chars, bad > commands, or anything from Mr.Hacker), I verify it. Someone suggested, way > back when I first started with textarea, to use 'htmlentities' to strip > the > bad items out.
It doesn't strip it, it just converts some characters to HTML code. > "You should always save it in the database exactly how the user typed it." > > So far, so good. But, if I follow what you suggest (and it's eminently > reasonable!) I could have some 'bad stuff' becoming 'resident' in my db. > Perhaps I am paranoid, but that seems like a-bad-thing-to-do. Yes. The key is to display it with htmlentities(). Never display it directly. > "Save it with newlines and don't add any HTML code to it. " > > Ahh . . . if I save as the user typed it, assuming Mr. Hacker has added > some > little extras, what then?? I use a Preview mode for viewing what thgey've > entered, and they must go back to the textarea box if they need to edit > (which has exactly what they typed.) Again, you don't have to worry what's in there, as long as you display it correctly. Now, if you know that these entries aren't going to be edited, then you can do the conversion and save that. Unfortunately, there is no "reversal" to htmlentities. So, you can't run htmlentities on the text and then hope to display it back to the user for editing. A < will be <, and if you submit that and run html entities again, you'll have &lt;. See where the problem is? So, basically, as long as your displaying the text correctly, use the conversions when you display it. If you don't need to edit the text, run the conversion before you put it in your database. Anyone disagree? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
