On Fri, 2016-07-22 at 13:52 -0700, Jeffry Killen wrote: > On Jul 22, 2016, at 11:19 AM, Stephen wrote: > > > I dug back to see where I git the idea of using htmlentities() on > > user input. > > > > This came from the book Modern PHP and deals with a user entering in > > a text box something like: > > > > <script>window.location.href='http://example.com';</script> > > > > Is there a better way of dealing with this? > > > > > > For context, I am creating a user registration field and there is a > > textarea field for their bio. > > > > Thank you! > > > > -- > > Stephen > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > There should not be a problem with script code entered into a text > field or > textarea element because the browser treats it like a single quoted > string. > So the script won't be run in the client. > > I would have php look for embedded script tags and str_replace() them > when the form data is submitted. OR, if you are up on javascript, have > it > intercept the submit process and clean the form input. > > I have developed a crude way of editing source code that load anything > and every thing into a textarea element for editing with no worry of the > browser executing any code in the textarea. Even php open and close > tags in php script files won't cause it to run php code. > > JK > You should never solely rely on any client-side validation, as that is easily circumvented. As I said before, you shouldn't be looking to just alter content submitted to your app if it doesn't need it. If that data is only going to the DB, then it does not need <script> tags removed. If you're displaying that user-supplied content on your website afterwards, then sanitise it only at the point that it is being displayed. I know it's very tempting to just clobber user input with everything that is at hand, but it really pays off to understand the entire process of the route data takes through your application and the risks at each part. Running HTML sanitisation on data intended for a database is not advised and sometimes pointless (e.g. an app that outputs user submissions into a CSV for download). I wrote something on this just under 2 years ago for my last company as part of a coding standards document: https://github.com/tmwagency/TMW-PHP-coding-standards/blob/master/php% 20coding%20standards%20github%20format.md#sql-injection It also has a link to more resources on why running htmlentities before a database insert is not recommended. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php