[thelist] PHP_SELF / Contact Form
DAVOUD TOHIDY
dtohidy at hotmail.com
Wed Aug 4 15:52:20 CDT 2010
> From: moseley at hank.org
> Date: Wed, 4 Aug 2010 13:27:45 -0700
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] PHP_SELF / Contact Form
>
> On Wed, Aug 4, 2010 at 1:11 PM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:
> Yes, stop digging yourself into a hole. ;)
>
> If you followed the advice weeks earlier then you would just:
>
> 1) never escape the data on input.
> 2) use the correct escape method when using that data.
> (Meaning using bind parameters when writing to the database, and html
> escaping when rendering to, eh, html)
>
> And 3) I'd probably just use <pre> (or maybe white-space:pre) to render the
> text as the user entered it if that's important. Or render it again in the
> text area, which is what you probably want in this case.
>
>
> Simple approaches are best.
>
> I'd also search for a PHP template engine to avoid mixing markup and php
> code. (But, maybe with PHP markup does belong on the code??)
>
>
> --
> Bill Moseley
> moseley at hank.org
> --
well I will surely do it later I mean in regards to escaping..I am now experimenting.
But again I found a very nice solution for the carriage:
I now have the following (notice the chr(13) that i added ):
<?php $message = str_replace(array("\r\n", "\n", "\r"),chr(13),$message); echo($message)?>
So without the mysql_real_escape_string that works just fine.
However as I mentioned I would like to have mysql_real_escape_string.
So please provide solution :)
I am now going home from work do I will reply tomorrow.
Thanks for your input.
Davoud
More information about the thelist
mailing list