On 01/25/2011 02:36 PM, Donovan Brooke wrote: > Hello, > > I don't yet have a complete understanding of string encodings for the > various environments they may need to pass through or be in. I have > found bits and pieces within Larry's book, the online docs, and by > googling... and > my app seems to be working fine, but I don't yet feel confident on "best > practices". So, I thought I'd see if I could spark some feedback to the > following: > > 1.) Saving strings to a database Just use the proper escaping and save what is received: example: mysql_real_escape_string() or a addcslashes() for DBs without a comparable function or preg_replace() for those that escape differently: If you definitely don't want certain things then strip them: striptags() If you may need it then leave it. > > 2.) print/echo'ing string fields from a database. > a. Allowing HTML? > b. Not allowing HTML? Depends on whether you want to render HTML. If so, and you can trust it (you or a trusted source entered it) then do nothing. Otherwise if you want to show the HTML as source tags then: htmlentities() If you don't want it then strip it before insert or when displaying, your call: striptags() > > 3.) print/echo'ing string fields into form textareas. The textarea prevents HTML inside from being rendered and the form submit should automatically URL encode the data in the textarea so I don't see the need to do anything. > > 4.) Simply encoding strings to send over a GET request. Encode the values that you intend to pass: urlencode() > > 5.) Simply displaying strings from the $_REQUEST array. If you want to maybe show some HTML as source tags then: htmlentities() If you don't want HTML then strip it when displaying: striptags() > > 6.) string encoding for redirects > Same as #4. BTW, these are very nice for working with data: filter_var() filter_var_array() filter_input() filter_input_array() -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
