sanitizing USER input

**realin** · Sep 2 '07, 04:05 PM

well this doesnt allow me edit after 60 mins,

Anyways. i will make a new reply :D

@pbmods

really really really really.. thanks a lot, it works like a charm.. thanks a you rock :)

*************** *EDIT********** ************

One last thing i gonna ask regarding thsi topic.. :D

Now that i take input, suggest when shall i put htmlentities to encode the signs into characters...

i mean if i send it to function to make the BBCODE revert and then change it using html entities then is it safe ??

Regards
Realin!

**pbmods** · Sep 2 '07, 04:28 PM

Heya, Realin.

Realistically, because your Users may want to edit/quote their posts, you'll want to do all your processing right before you output it.

Those dang Users; always making thing difficult :)

The order you'll want to do things would be:

strip_tags()
htmlspecialchar s() (can't call before strip_tags() because that would make it useless)
Process BBCode (can't call before either strip_tags() or htmlspecialchar s() because that would undo what we're trying to do here!)

**realin** · Sep 2 '07, 04:42 PM

Originally posted by pbmods

Heya, Realin.

Realistically, because your Users may want to edit/quote their posts, you'll want to do all your processing right before you output it.

Those dang Users; always making thing difficult :)

The order you'll want to do things would be:

strip_tags()
htmlspecialchar s() (can't call before strip_tags() because that would make it useless)
Process BBCode (can't call before either strip_tags() or htmlspecialchar s() because that would undo what we're trying to do here!)

hello,

Sorry for my bad, but i got confused.. what i got is

i take input from user.. then do the steps you told me above.. and then output it.. but the step we ar missing is when to store in databse ?

and the database should have which format of string ??is it < or <
And also if i want to highlight code using highlight_strin g() function, then do i need to use these striptags adn all..

thanks and sorry for my n00bness

**realin** · Sep 2 '07, 05:09 PM

hi again,

If i use strip_tags() then i wont be able to display the code by user ?? i mean it jus removes the tags.. i also want to display the code ,if any, written by the user..

So waht if i use htmlentities() instead of using strip_tags, cause the later will jus vanish the tags..

thanks once again

**pbmods** · Sep 2 '07, 05:31 PM

Heya, Realin.

Ah. Then nevermind the strip_tags() :P

**bucabay** · Sep 2 '07, 06:54 PM

Code:

return apply_filters('sanitize_user', $username, $raw_username, $strict);

That piece is most likely there in the wordpress username filter to re-run the filter until the input and output are the same.
This is only necessary if the filter replaces or removes patterns of characters in a sequence. For global replacements like htmlentities() it would not be needed.

**realin** · Sep 3 '07, 01:15 AM

Originally posted by bucabay

Code:

return apply_filters('sanitize_user', $username, $raw_username, $strict);

That piece is most likely there in the wordpress username filter to re-run the filter until the input and output are the same.
This is only necessary if the filter replaces or removes patterns of characters in a sequence. For global replacements like htmlentities() it would not be needed.

yeah it is from wordpress as i mentioned above somewhere.. but what it does is i could never understand, but not have got an idea

thanks ;)

sanitizing USER input

Comment

Comment

Comment

Comment

Comment

Comment

Comment