[SATLUG] php email ist, strip_tags vs. htmlentities
David Guarneri
dguarneri at satx.rr.com
Wed Aug 4 00:55:55 CDT 2004
On Tue, 2004-08-03 at 16:18, joseph speigle wrote:
> On Tue, Aug 03, 2004 at 10:58:08AM -0700, N. David Guarneri wrote:
> > Does anyone know a good PHP+Postgresql email list?
> It's mostlya php-mysql world. The others on this list may point you in the right direction. I can suggest, though, not using the mysql_* functions rather use the PEAR::DB class. To migrate your app to PG would only require changing the DSN.
> >
> > I've been reading a lot on the web about magic quotes issues, and how
> > it's now off by default. The php.ini suggests using strip_tags instead.
> > My question is, why would anyone bother with any of this when you can
> > just use htmlentities? A #039 (quote) and < (less than) will always
> > be #039 and < no matter what. The only reason I see is if you want to
> > store formatted text in the database, but to me it's just not worth the
> > hassle.
> The thing there with magic_quotes isn't having to do with html entities,
> it has to do with escaping single quotes. It doesn't matter if you
> insert < into the database. You can't insert single quotes into a sql db
> as that's the string sterminator. You the programmer have to use 'stripslashes'
> as you pull out and addslashes as you put into the database.
> > --
Thanks for your response.
If you use htmlentities($string, ENT_QUOTES), it will convert both
double and single quotes. I would rather avoid using slashes, as
you can end up with \\\\\\\\' in some cases. It also prevents
people from inserting stuff like <script LANGUAGE=JavaScript> into
comments to boot. I eventually wrote a class that uses htmlentities at
the top and then uses an array followed by a preg_replace($array1,
$array2, $string) to handle special characters which I then convert to
&#xxx . It seems to me that if I ever need to convert to print or a
written report (unlikely), I can always search for these and reconvert
them as necessary. But as they say, there's more than one way to
do things, so others might be happy using stripslashes.
David
More information about the Satlug
mailing list