I am a consultant developing a PHP-based site (fully operational now, we're adding some new features). One thing I need to do is allow resellers of my client's services to edit HTML which will then be used on the web pages their customers see. In other words they get to customize the appearance of their portion of the site. Most of the data entry involved is stuff where they plug in some data and I create the HTML with it -- stuff like colors and titles. But in some cases I need to allow them to enter HTML code themselves. I am currently running the code through htmlentities() before displaying it in the form field for them to edit. The _POST data is run through trim(), then substr() to limit the length, then html_entity_decode(), before doing any further processing. We also use strip_tags() on all fields in _POST except the HTML data, and everything that goes into the database is run through mysql_real_escape_string(). Do these methods seem reasonably secure? Am I missing something? The risk is minimized by the fact that the HTML the user enters is displayed to their own customers, whom they presumably don't want to attack (and if they did they could just do it on their own web site). But I still want to avoid as many opportunities as possible for either inadvertent or deliberate errors to cause trouble. Thanks for any comments, -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
