On Mon, Jun 30, 2003 at 18:22:59 -0400, Jeff <jam@xxxxxxxxxxxxxxxxxxxx> wrote: > > also, I would suggest running each of the variables through a function that > strips out html tags (since you don't really care about allowing them in > this case, right?).. you can do that with strip_tags.. see > http://php.net/strip_tags Wouldn't it be better to replace <, >, " and & with <, >, " and &, resprectively since those characters could legitimately appear in at least some of those strings?
