Hello,
I've got two questions. I'm having to redo my form. Can you tell me
the difference if any between these two lines of code? This is for
output filtering.
<textarea name="description"> <?php echo htmlout("$description"); ?></textarea>
<textarea name="description"><?php echo htmlout($description); ?> </textarea>
One has the quotes around the parameter in the function call the other
does not. Here's the functions:
function html($text)
{
return htmlentities($text, ENT_QUOTES, 'UTF-8');
}
function htmlout($text)
{
return html($text);
}
My second question is I'm wanting to do input filtering to prevent
anything malicious from coming in to my form. The eventual goal is to
get this information in to a database. Here's an insecure name field
i'm wanting to secure it against html tags, strange text, no symbols
except perhaps period, dash, letters, numbers alpha numeric stuff.
$name = $_POST['name'];
<div>
<label for="name">Name*:</label>
<input type="text" name="name" id="name" size="50" value="<?php echo
htmlout($name); ?>" /> <br />
</div>
In my previous form i used a variable declaration like:
$name = trim($_POST['name']);
but I can probably do better, as I said this is eventually going in to
a database.
Thanks.
Dave.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
