Wow, it's amazing anyone can find anything in this PHP documentation :)

I think I've solved my own form problem, and would like to pass along the knowledge to everyone else, should it be correct.

I have several free-form TEXTAREA text boxes that users can fill in before submitting to the datatbase.[nbsp][nbsp]I've been trying to find the best way to protect that input from being fed malicious text, be it HTML formatting, SSIs, or even PHP commands.

At first, I was going to rely on regular expressions, but felt that would be way too limiting and could not provide an option to tell the user exactly what was wrong with their input.

Then I was referred to addslashes(), which managed to only escape single and double quotes so MySQL wouldn't get hung up on itself.[nbsp][nbsp]Then I found strip_tags(), which is a delightful little function which wipes out anything embedded in an HTML or PHP tag, leaving plain text untouched.

So I think my arsenal is complete for the remainder of this form.[nbsp][nbsp]First executing the addslashes() command to escape the quotes (remember to use stripslashes() if you want to echo it back!) combined with the strip_tags() function to eliminate any funny business.

From what I've read, its a brute force method, and not very intelligent at that, but I'm going to try it out, unless anyone else has any contradictory advice.

You might want to use urlencode() and urldecode()...[nbsp][nbsp]It'll convert any alphanumerics to hex %xx codes.[nbsp][nbsp]That will certainly make it safe for storage...[nbsp][nbsp]Try htmlspecialchars() to convert any HTML special characters to safe versions, such as < to &amp;amp;lt;.

I wouldn't URL encode for storage - you would be adding to the space used (every space becomes %20, for example)... URL encoding is good for passing form data from one page to the next, but not meant for storage purposes. Besides that, if you search through the data, not only do you have to URL encode your query - you have to escape the % signs in your query as well...

All I do is this - I put this function in my standard include library:
</font><font face="Courier" size="3">
function fix ($text) {
[nbsp][nbsp] return ereg_replace (&quot;'&quot;, &quot;''&quot;, $text);
}
</font><font face="Verdana, Arial" size="2">
This simply doubles up any single quotes, thus escaping them. No need to escape double quotes if you use single quotes to quote your data exclusively.

Then I just say:
</font><font face="Courier" size="3">
$name = fix($name);
$email = fix($email);
$r = mysql_query (&quot;insert into addresses values ('$name', '$email')&quot;);
</font><font face="Verdana, Arial" size="2">
Fix() is easier to type than addslashes() - each time I type the latter, I use the backspace at least twice from trying to type it too fast... Nothing wrong with creating a function for the sole purpose of laziness - that's what functions are for :)

Another function I use a lot is this:
</font><font face="Courier" size="3">
function int($num) {
[nbsp][nbsp] return intval($num);
}
</font><font face="Verdana, Arial" size="2">
Too many languages... all others use int() to return the integer portion of a number - but PHP uses intval()...

Back to PHP - I find their documentation extremely easy to follow - and I love their site, but that's beside the point. Their manual groups everything by function and provides examples for everything...

Oh - stripping HTML - I usually do this:
</font><font face="Courier" size="3">
$input = str_replace (&quot;<&quot;, &quot;&amp;lt;&quot;, $input);
$input = str_replace (&quot;>&quot;, &quot;&amp;gt;&quot;, $input);
</font><font face="Verdana, Arial" size="2">
Str_replace() is faster than ereg_replace, since we don't need to use a regex...

Hope this helps.

------------------
Justin Nelson
FutureQuest (http://www.FutureQuest.net/index.php) Support