[prev in list] [next in list] [prev in thread] [next in thread]
List: php-general
Subject: [PHP] Re: String Encodings - loose guidelines
From: Shawn McKenzie <nospam () mckenzies ! net>
Date: 2011-01-26 20:41:49
Message-ID: 4D40870D.3060909 () mckenzies ! net
[Download RAW message or body]
On 01/25/2011 02:36 PM, Donovan Brooke wrote:
> Hello,
>
> I don't yet have a complete understanding of string encodings for the
> various environments they may need to pass through or be in. I have
> found bits and pieces within Larry's book, the online docs, and by
> googling... and
> my app seems to be working fine, but I don't yet feel confident on "best
> practices". So, I thought I'd see if I could spark some feedback to the
> following:
>
> 1.) Saving strings to a database
Just use the proper escaping and save what is received:
example: mysql_real_escape_string() or a addcslashes() for DBs without
a comparable function or preg_replace() for those that escape differently:
If you definitely don't want certain things then strip them:
striptags()
If you may need it then leave it.
>
> 2.) print/echo'ing string fields from a database.
> a. Allowing HTML?
> b. Not allowing HTML?
Depends on whether you want to render HTML. If so, and you can trust it
(you or a trusted source entered it) then do nothing. Otherwise if you
want to show the HTML as source tags then:
htmlentities()
If you don't want it then strip it before insert or when displaying,
your call:
striptags()
>
> 3.) print/echo'ing string fields into form textareas.
The textarea prevents HTML inside from being rendered and the form
submit should automatically URL encode the data in the textarea so I
don't see the need to do anything.
>
> 4.) Simply encoding strings to send over a GET request.
Encode the values that you intend to pass:
urlencode()
>
> 5.) Simply displaying strings from the $_REQUEST array.
If you want to maybe show some HTML as source tags then:
htmlentities()
If you don't want HTML then strip it when displaying:
striptags()
>
> 6.) string encoding for redirects
>
Same as #4.
BTW, these are very nice for working with data:
filter_var()
filter_var_array()
filter_input()
filter_input_array()
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic