I've searched of 21000 messages in this list and I don't quite understand how to best protect user input.
Let's say you have a form that posts to itself just do see how messed up data can get:
>>>>>>>>>>>>>>>>>>>>>>
if(get_magic_quotes_gpc()) {
$_POST=array_map('stripslashes',$_POST);
}
$_POST=array_map('trim',$_POST);
$fname=$_POST["fname"];
<input name="fname" value="<? echo htmlentities($fname); ?>">
<<<<<<<<<<<<<<<<<<<<<<
htmlentities() does a good job to protecting quotes and allows for pretty flexible data entry characters.
I found another function on the internet called "cleanconvertaccents" which I can run through array_map. However it's not perfect.
If you enter an ALT-151 charcter, the value of the input keeps getting longer and longer as it double encodes on each submission.
newegg.com does a good job to maintaining extended characters (presenting them back to the user) and keeps them from getting out of hand.
How do other do this?
thanks,
-Eric Wood
