On Tue, Jul 01, 2003 at 08:46:57AM -0500, Bruno Wolff III wrote:
> Date: Tue, 1 Jul 2003 08:46:57 -0500
> From: Bruno Wolff III <bruno@wolff.to>
> To: Jeff <jam@zoidtechnologies.com>
> Cc: Frank Bax <fbax@sympatico.ca>, pgsql-php@postgresql.org
> Subject: Re: [PHP] PHP form Creates Blank DB entries
> Mail-Followup-To: Jeff <jam@zoidtechnologies.com>,
> Frank Bax <fbax@sympatico.ca>, pgsql-php@postgresql.org
>
> On Mon, Jun 30, 2003 at 18:22:59 -0400,
> Jeff <jam@zoidtechnologies.com> wrote:
> >
> > also, I would suggest running each of the variables through a function that
> > strips out html tags (since you don't really care about allowing them in
> > this case, right?).. you can do that with strip_tags.. see
> > http://php.net/strip_tags
>
> Wouldn't it be better to replace <, >, " and & with <, >, " and
> &, resprectively since those characters could legitimately appear
> in at least some of those strings?
yes, preparestring handles not only the call to strip_tags, but a call to
htmlentities as well, which covers the above. I did not indicate this fact
clearly in my email-- I apologize for being misleading.
if I've missed anything, please let me know.. I think I have all the bases
covered, but I'm willing to make changes if there is some glaring hole (or
even a not-so-glaring one) I have missed :)
you can check the eros tarball, common.php, the function is called
preparestring.
regards,
J
--
|| Jeff - http://zoidtechnologies.com/
|| GNUPG Fingerprint: A607 0F19 7C75 1305 67E4 BDFF 26BD 606E 3517 2A42