On Tue, Jul 01, 2003 at 08:46:57AM -0500, Bruno Wolff III wrote: > Date: Tue, 1 Jul 2003 08:46:57 -0500 > From: Bruno Wolff III <bruno@xxxxxxxx> > To: Jeff <jam@xxxxxxxxxxxxxxxxxxxx> > Cc: Frank Bax <fbax@xxxxxxxxxxxx>, pgsql-php@xxxxxxxxxxxxxx > Subject: Re: [PHP] PHP form Creates Blank DB entries > Mail-Followup-To: Jeff <jam@xxxxxxxxxxxxxxxxxxxx>, > Frank Bax <fbax@xxxxxxxxxxxx>, pgsql-php@xxxxxxxxxxxxxx > > On Mon, Jun 30, 2003 at 18:22:59 -0400, > Jeff <jam@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > also, I would suggest running each of the variables through a function that > > strips out html tags (since you don't really care about allowing them in > > this case, right?).. you can do that with strip_tags.. see > > http://php.net/strip_tags > > Wouldn't it be better to replace <, >, " and & with <, >, " and > &, resprectively since those characters could legitimately appear > in at least some of those strings? yes, preparestring handles not only the call to strip_tags, but a call to htmlentities as well, which covers the above. I did not indicate this fact clearly in my email-- I apologize for being misleading. if I've missed anything, please let me know.. I think I have all the bases covered, but I'm willing to make changes if there is some glaring hole (or even a not-so-glaring one) I have missed :) you can check the eros tarball, common.php, the function is called preparestring. regards, J -- || Jeff - http://zoidtechnologies.com/ || GNUPG Fingerprint: A607 0F19 7C75 1305 67E4 BDFF 26BD 606E 3517 2A42