Printable View
Hi all,
I'm currently building a guestbook, where all content is put in a database and retrieved upon request. The simple thing.
Now to prevent people from putting scripts etc. into my webpage, I'd like to know whether there is an easier way to remove that instead of hard coding a line for each HTML element I can find
Any suggestions?
Nice, that's exactly it
Thnx
Nice why no one told me about this and let me use that htmlentities forever and eats up my mysql space lol... j/k
Both functions do totally different things. You shouldn't apply the htmlentities function to data you intend to save in a database anyway.Quote:
Originally Posted by vbbit
Why is that?Quote:
Originally Posted by visualAd
You should apply it before you display it. The database should contain the raw data only.
But then you have to apply it every time, instead of just once before you store it...
Indeed; then again if you only ever intend to display it as HTML it is better to store it in the database escaped.
It's best however to keep the data as atomic as possible within the database. It may in some cases be beneficial to store the escaped version of the string too.
Data in a database should not contain content pertinent to any specific presentation of said data.
For example, this forum saves posts as they are typed. It does however apply several transformations such as parsing BBcode and applying htmlentities() before displaying the posts. (The resultant HTML is then also saved into the database, but that's purely for caching purposes—it doesn't replace the raw data.)
My webpage stores whatever the user type into the database, but I use the htmlentities before I display it, just like the way this forum works ;)
Ok, thanks guys, I'll keep that in mind