On 16-07-22 02:42 PM, Ashley Sheridan wrote:
On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote:
I dug back to see where I git the idea of using htmlentities() on user
input.
This came from the book Modern PHP and deals with a user entering in a
text box something like:
<script>window.location.href='http://example.com';</script>
Is there a better way of dealing with this?
For context, I am creating a user registration field and there is a
textarea field for their bio.
Thank you!
--
Stephen
That script tag is not a problem if you're putting that data into a
database. The DB doesn't need to be protected against anything other
than SQL injection, which a <script> tag is not.
You only use htmlentities (now you might be better using filter_var -
look up the manual for usage) when outputting that content onto a page
that is HTML (or XML). If you're not outputting it, or outputting it as
PDF or text, then you won't need to run that (you'll need other things
possibly instead, particularly for PDF)
It's typically a bad idea to alter data in this way, as it cannot be
undone, and it isn't applicable to the DB anyway.
To learn, I push back.
Why has BBcode become the norm on most bulletin board like web sites?
--
Stephen
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php