when storing, use mysql_real_escape_string (or equiv for what ever db) eg, $query = 'insert into table set field=\''.mysql_real_escape_string($valuefromuser).'\', set field2=... when displaying user input (not matter where from), use htmlentities() eg, echo htmlentities($string_from_db); -- Louis Solomon www.SteelBytes.com "Ross Honniball" <ross@xxxxxxxxxxxxxxxxxxx> wrote in message news:6.0.0.22.1.20050526203454.04084130@xxxxxxxxxxxxxxxxxxxxxxx > Hi all, > > Say you get some text field from a user and store it in a database. Then > later you display this input. If the user has coded html in the actual > input, without running this through some kind of parsing function, it > could give you some odd results. > > For example, say the user types in, as text <input type="text"> > > Then when you display this data (echo it), your page will show an html > input box. > > I think there are a number of functions in php to cope with this, but > wondering what people find to be the best/most efficient or whatever one. > > What do you do? > .. > .. Ross Honniball. JCU Bookshop Cairns, Qld, Australia. > .. -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
