> what about when the GET is text? just use htmlspecialchars? > just looking for some advice to help keep my apps secure. What regular expression does one use when there really isn't a whole lot you can say about the text?... I mean, say for a guestbook or bulletin board or for a person's Bio or... You can limit it to a certain number of characters in length. You can mess with strip_tags and also do an ereg to rip out any kind of JavaScript on tags you want to *allow*. But then what? I mean, it seems like there's still an awful lot of wiggle room for mischief there, in an arbitrary string typed by the user. Do you typically check for the distribution of ABCDEF...XYZ and if it is "too far" from standard English, disallow it? How do you do that clearly/easily? What more *can* be done to validate data that is so free-form essentially? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
