4.2. Sanitizing Variables
Sometimes, telling users to go back and try again when they fail to enter valid data simply isn't an option. When you have to make do with what the user gives you, you can use a couple of techniques to make sure that bad data doesn't break your application — or, worse, the underlying systems that support your application, such as e-mail transport and the operating system. The following sections tell you how to prevent bad user input from mucking up the works.
4.2.1. Converting HTML special characters
Sometimes, you want to allow users to enter HTML into your application. A blog comment system, for example, usually allows users to post hyperlinks. But you don't have to open your application to just anything that users might want to put in.
If you allow users to enter HTML, you should always convert HTML special characters to HTML entities by using the htmlentitels() function. The htmlentities() function takes the string to be converted as its argument. The function then does a simple search-and-replace for the following HTML-special characters:
& (ampersand) becomes &
" (double quote) becomes "
' (single quote) becomes '
< (less than) becomes <
> (greater than) becomes >
|
4.2.2. Sanitizing e-mail addresses
Many Web applications ...
Get PHP & MySQL® Web Development All-in-One Desk Reference for Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
