|
|
Posted by Hilarion on 11/03/05 13:40
> I do have some follow up questions regarding your other info though. If I
> use htmlspecialchars(), does it not then convert all of the HTML tags
> someone enters into non-useable tags by convering them to the > symbols?
> My understanding is going by the PHP manual:
>
>
> <?php
> $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
> echo $new; // <a href='test'>Test</a>
> ?>
>
>
> This would seemingly cause me problems as users are entering HTML and will
> need the HTML characters to remain intact as they go to the DB, as we're
> simply echoing the value of the TEXT field holding all HTML to the browser.
> I know that I need to addslashes and stripslashes to escape characters that
> I'll need to make HTML work, but am not quite sure of the application of
> htmlspecialchars() in this case. Thanks again for any info.
If you want to have the text interpreted as HTML, then in this you should not
use "htmlspecialchars" on it. But if the same text is going to be edited
in <textarea>, then you should use the function.
In general you should use the function on all values in form fields
unless you are 200% sure that the data does not contain ANY characters
special for HTML. In case of <textbox> and <input type="text"> I think
you should always use it.
If it's about storing data in the database, then no, you should not
use the function when putting the data into DB. There are functions
like "mysql_real_escape_string" (addslashes is NOT enough for MySQL).
But if you retrieve data from DB and it's not supposed to be interpreted
as HTML (for example you want to display a name of company which is
stored in the database, and even if the name contains some characters
like "<" or ">" you want to display them literally) or it's going to
be put in <form> fields, then use htmlspecialchars.
If you are not sure if you should use htmlspecialchars in some case,
then always test it for texts like:
'"</textarea><b>test</script>
It contains single quote, double quote, and some HTML tags. If your
script will not behave as intended in ALL cases of use with this text
(also when placed in <input> fields with JavaScript validation turned
off), then you should try using the function (or stop
using it if it's used) in that particular place of script.
The text above will also test your use of SQL escaping function,
but it's not a good test because simple addslashes function
will do in this case, but - as I mentioned before - it's not
enough for some nasty SQL injection attacks.
Hilarion
PS.: If you are not using single quotes to quote attribute values
then use htmlspecialchars without the second argument.
Navigation:
[Reply to this message]
|