So, I'm trying to be more consistent about escaping my output.
I do something like this (only prettier):
if (!isset($_REQUEST['blah_id'])) error_out("Bad blah_id input");
$blah_id = (int) $_REQUEST['blah_id'];
$blah_id_sql = mysql_real_escape_string($blah_id, $connection);
$query = "select title from blah where blah_id = $blah_id_sql";
$blah = mysql_query($query, $connection) or die("DB Error");
list($title) = mysql_fetch_row($blah);
$title_html = htmlentities($title);
$title_email = SOME_FUNCTION_HERE($title);
What function should be used to escape output to make it 100% kosher
for an email Subject and/or Body, in a plain-text email?
The original title came from the outside world, had
mysql_real_escape_string() applied to it, and was crammed into the DB.
It could have ANY kind of malicious text in it.
We do NOT send (and will NEVER send) HTML enhanced (cough, cough) emails.
For simplicity sake, I'd probably be happy with a more restrictive
function that covered both Subject and Body in this instance.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
