Re: Dealing With User Entering a Script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16-07-22 02:42 PM, Ashley Sheridan wrote:
On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote:
I dug back to see where I git the idea of using htmlentities() on user
input.

This came from the book Modern PHP and deals with a user entering in a
text box something like:

<script>window.location.href='http://example.com';</script>

Is there a better way of dealing with this?


For context, I am creating a user registration field and there is a
textarea field for their bio.

Thank you!

--
Stephen


That script tag is not a problem if you're putting that data into a
database. The DB doesn't need to be protected against anything other
than SQL injection, which a <script> tag is not.

You only use htmlentities (now you might be better using filter_var -
look up the manual for usage) when outputting that content onto a page
that is HTML (or XML). If you're not outputting it, or outputting it as
PDF or text, then you won't need to run that (you'll need other things
possibly instead, particularly for PDF)

It's typically a bad idea to alter data in this way, as it cannot be
undone, and it isn't applicable to the DB anyway.

To learn, I push back.

Why has BBcode become the norm on most bulletin board like web sites?

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux