On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote: > I dug back to see where I git the idea of using htmlentities() on user > input. > > This came from the book Modern PHP and deals with a user entering in a > text box something like: > > <script>window.location.href='http://example.com';</script> > > Is there a better way of dealing with this? > > > For context, I am creating a user registration field and there is a > textarea field for their bio. > > Thank you! > > -- > Stephen > That script tag is not a problem if you're putting that data into a database. The DB doesn't need to be protected against anything other than SQL injection, which a <script> tag is not. You only use htmlentities (now you might be better using filter_var - look up the manual for usage) when outputting that content onto a page that is HTML (or XML). If you're not outputting it, or outputting it as PDF or text, then you won't need to run that (you'll need other things possibly instead, particularly for PDF) It's typically a bad idea to alter data in this way, as it cannot be undone, and it isn't applicable to the DB anyway. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php