"wj" <wz*@jongnederland.nl> wrote in message
news:e8**************************@posting.google.c om...
Hi all,
Im trying to create a forum on my website. I use PHP and store the
messages in a mySQL dataqbase. Messages can be entered in a textarea.
What should i do to prevent that user enter code (javascript or php or
mysql or ...) that can be executed when i show a message with html? Is
it enough to use htmlspecialchar()?
Any tips?
Thanx,
WJ
Yes, using htmlspecialchars() will prevent Javascript from being inserted
into your pages. The trick is remembering to use it everywhere where
user-entered data appears. The danger is not just with text entered into a
textarea, but any text. I can disface your site just as effectively with
tags entered into a email field.