For instance, if you want to insert into a database, you'll want to run addslashes() on it, or some other such quoting.
If you wnat to use the data as a forum post or comment, etc, you'll want to strip the html out of it with strip_tags() or htmlentities() like you mentioned
If you want to use the data in a command-line, you should run escapeshellarg() or escapeshellcmd().
If you want to send an email to this person later based on the email address they're providing, you may want to use checkdnsrr and a solid regex to make sure that this email is reasonably valid.
There are any number ways to check a piece of user-submitted data. You have to evaluate what it is you want to do with it, and at every stage make every effort to ensure that it is what you think it is.
There is no such thing as safe data, just less-dangerous data.
HTH. Pete.
rotsky wrote:
I'd like to canvas opinions about what's needed to clean user input. I'm using an HTML form where users enter simple things like name and phone number, but also a couple of small text areas for address and a message (up to 50 words or so).
How would people recommend cleaning this data when it's received (via $_POST) in the next page? Some fields (like email) I can check against a template using ereg(), but the text areas pose more of a problem. I assume running strip_tags() might be a wise precaution, and maybe also htmlentities(). Anything else?
I'd be interested to hear what other people do.
a+ Steve
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
