The first rule is to NEVER rely on anything that they give you, or any of
the security precautions in your form code, because someone can always creat
a less-secure form which posts to the same script.
So, whilst maxlength='4' for a year select thing is great, you should check
at the other end that
a) it is only four digits
b) it is_numeric()
TEXTAREA's don't even have a max length from memory, so if you want to limit
to n characters, that's easy using strlen() to check it, or substr() to chop
it.
For 50 words (as per your OP), you'd can check it with :
<?
$words = explode(' ', $_POST['about_me']);
if(count($words) > 50)
{
// error
}
else {
// good
}
?>
or chop it with
<?
$text = $_POST['about_me'];
$words = explode(' ', $text);
if(count($words) >= 50)
{
$text = '';
while($i=0;$i<=50,$i++)
{
$text .= "{$v} ";
}
$text .= "... [too long]";
}
echo $text;
?>
Untested, season to taste.
And yes, definitely striptags(), and follow the advice on the rest of the
thread.
BTW: Allowing some tags with striptags() offers are great security risk:
let's say you allow <b> tags -- then I can go:
<b onmouseover'javascript:window.close();'>hahahaha</b> -- not good!!
Justin
on 20/03/03 11:18 AM, rotsky ([EMAIL PROTECTED]) wrote:
> I'd like to canvas opinions about what's needed to clean user input. I'm
> using an HTML form where users enter simple things like name and phone
> number, but also a couple of small text areas for address and a message (up
> to 50 words or so).
>
> How would people recommend cleaning this data when it's received (via
> $_POST) in the next page? Some fields (like email) I can check against a
> template using ereg(), but the text areas pose more of a problem. I assume
> running strip_tags() might be a wise precaution, and maybe also
> htmlentities(). Anything else?
>
> I'd be interested to hear what other people do.
>
> a+
> Steve
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
