Sebastian wrote:
what is a safe way to clean a post/get before echoing it.
There are two steps that you're lumping into one. Sanitizing and cleaning are informal terms for filtering, and this is an inspection process where you inspect data to be sure that it's valid. You should do this with any input, regardless of the source.
You need to escape data to prepare it for output. When you're sending data to the client (echo), you want to use htmlentities(). If possible, specify your character encoding (see http://php.net/htmlentities).
This talk covers these two steps in the first few slides: http://brainbulb.com/talks/php-security-briefing.pdf (PDF) http://brainbulb.com/talks/php-security-briefing.swf (Flash) Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
