I am writing a page that lets people write a bulletin board message by
filling in a short form. The information is uploaded to a mysql database
and then displayed on the "Bulletin Board" page by reading the db.

1. What characters, if any, should I disallow other than html tag marks (<
and >)?
2. Do I need to inspect/filter the field contents on download as well as
upload?
3. Do I need to remove alternate codes for illegal symbols, especially tags
(e.g., "& lt;")?

The page is XHTML 1.0 Strict, charset=ISO-8859-1; the database field is
collated in latin1_swedish_ci.

In case it is not clear, the user types into a textarea, e.g. (example is
much simplified):

Lost: Jack Russell terrier. Answers to "supper". Strong jaws and teeth.
Able to jump on kitchen counters. If found, please give him a good home.

This is put through regex (which currently filters only < and >) then
uploaded to the db in the field 'text'. There is a "Bulletin Board" page
that queries the db, changes the field name to variables, and display it:

print "<div class='content'><h3>$head</h3><p>$text</p></div>";





--
Mason Barge

On Sat, 01 Mar 2008 17:02:40 +0100, Mason Barge <masonbarge@comcast.net>
wrote:

> I am writing a page that lets people write a bulletin board message by
> filling in a short form. The information is uploaded to a mysql
> database and then displayed on the "Bulletin Board" page by reading the
> db.
>
> 1. What characters, if any, should I disallow other than html tag marks
> (< and >)?
> 2. Do I need to inspect/filter the field contents on download as well as
> upload?
> 3. Do I need to remove alternate codes for illegal symbols, especially
> tags (e.g., "& lt;")?
>
> The page is XHTML 1.0 Strict, charset=ISO-8859-1; the database fieldis
> collated in latin1_swedish_ci.
>
> In case it is not clear, the user types into a textarea, e.g. (example
> is much simplified):
>
> Lost: Jack Russell terrier. Answers to "supper". Strong jaws and teeth.
> Able to jump on kitchen counters. If found, please give him a good home.
>
> This is put through regex (which currently filters only < and >) then
> uploaded to the db in the field 'text'. There is a "Bulletin Board"
> page that queries the db, changes the field name to variables, and
> display it:
>
> print "<div class='content'><h3>$head</h3><p>$text</p></div>";

Aither user strip_tags(), or just htmlspecialcharacters(). I usually just
employ the latter one, if someone want to look foolish by uploading HTML,
fine, it will be displayed as text, no big deal.
--
Rik Wasmus

"Rik Wasmus" <luiheidsgoeroe@hotmail.com> wrote in message
newsp.t7cjrbxe5bnjuv@metallium.lan...
On Sat, 01 Mar 2008 17:02:40 +0100, Mason Barge <masonbarge@comcast.net>
wrote:

> I am writing a page that lets people write a bulletin board message by
> filling in a short form. The information is uploaded to a mysql database
> and then displayed on the "Bulletin Board" page by reading the db.
>
> 1. What characters, if any, should I disallow other than html tag marks
> (< and >)?
> 2. Do I need to inspect/filter the field contents on download as well as
> upload?
> 3. Do I need to remove alternate codes for illegal symbols, especially
> tags (e.g., "& lt;")?
>
> The page is XHTML 1.0 Strict, charset=ISO-8859-1; the database field is
> collated in latin1_swedish_ci.
>
> In case it is not clear, the user types into a textarea, e.g. (example is
> much simplified):
>
> Lost: Jack Russell terrier. Answers to "supper". Strong jaws and teeth.
> Able to jump on kitchen counters. If found, please give him a good home.
>
> This is put through regex (which currently filters only < and >) then
> uploaded to the db in the field 'text'. There is a "Bulletin Board" page
> that queries the db, changes the field name to variables, and display it:
>
> print "<div class='content'><h3>$head</h3><p>$text</p></div>";
-----------------------------
Either user strip_tags(), or just htmlspecialcharacters(). I usually just
employ the latter one, if someone want to look foolish by uploading HTML,
fine, it will be displayed as text, no big deal.
------------------------------
Thanks for the response. I'd rather just throw an error on html tags,
considering my audience, purpose, etc.

What I really am worried about is whether I need to be concerned with
characters other than tags.

..oO(Mason Barge)

>What I really am worried about is whether I need to be concerned with
>characters other than tags.

No. Just make sure you properly escape your data when it goes into the
DB (use mysql_real_escape_string() or prepared statements) and when you
print it out again (htmlspecialchars()). These are the most important
things.

Micha

Greetings, Mason Barge.
In reply to Your message dated Saturday, March 1, 2008, 19:02:40,

> I am writing a page that lets people write a bulletin board message by
> filling in a short form. The information is uploaded to a mysql database
> and then displayed on the "Bulletin Board" page by reading the db.

> 1. What characters, if any, should I disallow other than html tag marks (<
and >>)?

Anything You decide to.

> 2. Do I need to inspect/filter the field contents on download as well as
> upload?

You should take care of user data in two, and only two places.

1. Before inserting into DB - apply proper escaping function like
mysql_escape_string()
2. Before showing data to the user - apply HTML special characters conversion
function htmlspecialchars().

Do not do anything else unless You for sure know what You doing (like BBcode
parsing)
Do NOT apply htmlspecialchars before inserting into DB. Common mistake - You
applying htmlspecialchars before DB insertion, then applying it again before
showing to the user - and now You absolutely can't use <>"'& symbols in text
fields.

> 3. Do I need to remove alternate codes for illegal symbols, especially tags
> (e.g., "& lt;")?

No, unless You know that user client sending codes that way (EVE Minibrowser
does that for example).

> The page is XHTML 1.0 Strict, charset=ISO-8859-1; the database field is
> collated in latin1_swedish_ci.

Doesn't matter, but I suggest to change Your database to use UTF-8.
Will save You from big headache later.


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>