Hi: You asked: > Is there a better way of dealing with this? When dealing with any web-data you collect, you need to consider what you’re going to do with it. I think "Richard Lynch” said it best: <quote> You're actually conflating not one, but TWO (!) different problems. Number 1 is to "filter input". What that means specifically is to be sure that the user input looks EXACTLY the way you expect. Number 2 is to "escape output" What that means specifically is to transform any given chunk of data to a format suitable for its output medium. For example, ANY output headed to the browser should have http://php.net/htmlentities called on it. If it's headed out to a database, it should have a database-specific function called, such as http://php.net/mysql_real_escape_string If it's going to be data in a GET parameter in a URL, it needs http://php.net/urlencode called FIRST, and then htmlentities. If it's headed to XML, however, it should have some kind of XML function called to wrap it into CDATA or a pre-defined data type / format. If it's headed out to Javascript, I think you want http://php.net/json So, you've really got TWO phases: filter input; escape output Why it matters is that Evil People do exist, and they WILL find a way to cause damage to you or even to others, if you fail to do this. Common hacks include executing SQL to damage databases, or adding Javascript to deface websites, or even adding Javascript to use YOUR web-site in an attack upon another website. Here is a good starting point for some of the details of what to do and why: http://phpsec.org/ ALSO If some random 'net user can send POST data, and you just blindly spit it out, with no filtering and no escaping, then, yes, that is insecure. There are all manner of nasty things that can be done to this setup by other users. Example: They can send whatever POST data they want, which can include JavaScript, which you blindly echo out, which can make your site "look" like another site's login, but sends THEM the login info. So now they are using your site as a dropbox in a phishing attack. And that's just ONE example from a dozen. </quote> Cheers, tedd _______________ tedd sperling tedd.sperling@xxxxxxxxx --- > On Jul 22, 2016, at 2:19 PM, Stephen <stephen-d@xxxxxxxxxx> wrote: > > I dug back to see where I git the idea of using htmlentities() on user input. > > This came from the book Modern PHP and deals with a user entering in a text box something like: > > <script>window.location.href='http://example.com';</script> > > Is there a better way of dealing with this? > > > For context, I am creating a user registration field and there is a textarea field for their bio. > > Thank you! > > -- > Stephen > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
