Posted by Jerry Stuckle on 08/10/07 03:21

Paul Furman wrote:
> Paul Furman wrote:
>
>> Michael Fesser wrote:
>>
>>> When printing anything to an HTML page, use
>>> htmlspecialchars() to escape those characters that have a special
>>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
>>> the manual for details.
>>>
>>> http://www.php.net/htmlspecialchars
>>
>> Thanks again, it sounds like I should run that in my html_safe()
>> function along with stripslashes().
>
> Just a followup on the htmlspecialchars idea, I tried it & had to
> disable it... if I used that, I'd need to be more selective than my
> html_safe function because it disabled my ability to add content from
> the admin interface with links & images. But thanks for mentioning it.
>

If it's affecting links and images, you aren't being selective enough!

Like any other function - call it if you need to. But it's not meant to
be called for everything you're displaying.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: CURL and SSL
• Prev in forum: Re: Flash stronger then PHP?
• Thread view: Re: mysql_real_escape_string() chopping off after quotes

[Reply to this message]