I have a form to allow a user to contact me, I am aware of how to prevent the used of HTML in the input fields (htmlentities), but, should i do this before it hits the DB, when it is being recalled or both?
Cheers
Printable View
I have a form to allow a user to contact me, I am aware of how to prevent the used of HTML in the input fields (htmlentities), but, should i do this before it hits the DB, when it is being recalled or both?
Cheers
I am curious how you would prevent the html input in to the fields?
Always before it is rendered into HTML. Don't sanitise data which is being stored in a database, unless it's for caching purposes (e.g. storing the resultant HTML).
If I have a comments box, without sanatizing someone would be bale to enter javascript to flash up 100 alerts boxes when the data is rendered.
Pena: So leave the data alone when storing in a DB, and then sanatize on render?
Is there anything else other than htmlentities that I should be using?
Yes, and not really. htmlentities will encode any characters which have special meaning in HTML, so you should be set.
Thanks! :D
If you did not want any HTML to be inputted you could put your data through the strip_tags() function which would remove the HTML tags and leave you with just the text.
That's a good point, because obviously in these circumstances I would rather display the code then execute it, but if I could get rid of it 100% then it will look better at the other end also.
Thanks 182182
No problem mate,
If you do remove any HTML tags and save this to the db, when outputting it back to a page line breaks won't appear as they should (however if outputting the comment in an email they will appear as normal), what I do when showing inputted text that has been stripped of HTML tags to a page is replace all the "\n" with <br /> tags after selecting it from the db - so the line breaks appear as normal.
hmmm... ILMV is not on MSN........ blocked:(
Quote:
Originally Posted by the182guy
Nah I was posting from work during the day :D