Posted by Jerry Stuckle on 08/11/07 13:43

Paul Furman wrote:
> Jerry Stuckle wrote:
>> Paul Furman wrote:
>>> Paul Furman wrote:
>>>> Michael Fesser wrote:
>>>>
>>>>> When printing anything to an HTML page, use
>>>>> htmlspecialchars() to escape those characters that have a special
>>>>> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag.
>>>>> See
>>>>> the manual for details.
>>>>>
>>>>> http://www.php.net/htmlspecialchars
>>>>
>>>> Thanks again, it sounds like I should run that in my html_safe()
>>>> function along with stripslashes().
>>>
>>> Just a followup on the htmlspecialchars idea, I tried it & had to
>>> disable it... if I used that, I'd need to be more selective than my
>>> html_safe function because it disabled my ability to add content from
>>> the admin interface with links & images. But thanks for mentioning it.
>>
>> If it's affecting links and images, you aren't being selective enough!
>>
>> Like any other function - call it if you need to. But it's not meant
>> to be called for everything you're displaying.
>
> Yes, agreed. My html_safe() function is being applied to anything that
> leaves the mySQL database and anything entering gets the db_safe()
> function applied. I don't really know why I'd need it except as a
> catch-all at this point but good to know it exists if I encounter these
> problems again and another handy way to display html code without being
> interpreted by the browser.
>

Yep, but I just call mysql_real_escape_string() on the data as it is
being inserted into the database, i.e.

$result = mysql_query('INSERT INTO mytable VALUES (' .
mysql_real_escape_string($val) . ')');

Or if I'm going to display the data:

echo htmlspecialchars($val);

I don't change the variable itself. I might need it in it's "pure form"
again.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]