Web lists-archives.com

Re: [PHP] Dealing With User Entering a Script

On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote:
> I dug back to see where I git the idea of using htmlentities() on user 
> input.
> This came from the book Modern PHP and deals with a user entering in a 
> text box something like:
> <script>window.location.href='http://example.com';</script>
> Is there a better way of dealing with this?
> For context, I am creating a user registration field and there is a 
> textarea field for their bio.
> Thank you!
> -- 
> Stephen

That script tag is not a problem if you're putting that data into a
database. The DB doesn't need to be protected against anything other
than SQL injection, which a <script> tag is not.

You only use htmlentities (now you might be better using filter_var -
look up the manual for usage) when outputting that content onto a page
that is HTML (or XML). If you're not outputting it, or outputting it as
PDF or text, then you won't need to run that (you'll need other things
possibly instead, particularly for PDF)

It's typically a bad idea to alter data in this way, as it cannot be
undone, and it isn't applicable to the DB anyway.



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php