[SOLVED]regex or escaping characters for safe display?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

[SOLVED]regex or escaping characters for safe display?

Post by rubberjohn »

Just a quick question...

I understand how to test say username and login fields to make sure they are only alphanumeric using regex.

but

How do you allow a user to type anything they want and display it safely? Like in forums where users can type any alphanumeric character as well as any other keyboard character and have it displayed with no effect on the system.

Basically in a situation where you want to be flexible about user input.

Is this done with regex or are the non-alphanumeric characters escaped somehow or is it a combination of both methods?

cheers

rj
Last edited by rubberjohn on Wed Mar 15, 2006 4:07 pm, edited 1 time in total.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Use htmlentities

Code: Select all

$string = $_POST['name'];

echo htmlentities($string, ENT_QUOTES, 'UTF-8');
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

thanks for the reply

so, say in this forum for the subject and the main post body, only htmlentities is used?

rj
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

posts on this board, like any other phpbb board are processed both on entry into the database and on display. They are processed for different things (quick tag replacement and such) on first pass, and final display with HTML on final pass. nl2br() and htmlentities() are the most basic with little actual processing of the text submission.
rubberjohn
Forum Contributor
Posts: 193
Joined: Fri Feb 25, 2005 4:03 am

Post by rubberjohn »

cheers for that guys.

i think im going to have to start paying you soon feyd!

rj
Post Reply