Menu
▾
▴
Re: [phpBT-dev] Htmlspecialchars, htmlentities and encoding
|
From: Jirka P. <fi...@us...> - 2002-05-02 08:06:45
|
> Perhaps you could post a sample of that changes that you are planning to > make, or just make changes to one file, so we can take a look at what > you are planning on a large scale. I'm not quite clear from your > description below on everything that has change, and I'd like to have a > better understanding on that regard. One thing I don't understand is > the role the magic quotes play in this. Well, I'll try to describe it somehow better (I hope, but my english is not= perfect). We have 3 boolean configuration directives: magic_quotes_gpc, ma= gic_quotes_runtime and magic_quotes_sybase. So there are function correspon= ding to these three directives except for magic_quotes_sybase. Magic_Quotes_GPC directive sets the magic_quotes state for Get, Post and Co= okie operations. When magic_quotes are on, all ' (single-quote), " (double = quote), \ (backslash) and NUL's are escaped with a backslash automatically.= If magic_quotes_sybase is also on, a single-quote is escaped with a single= -quote instead of a backslash if magic_quotes_gpc or magic_quotes_runtime i= s enabled. If magic_quotes_runtime is enabled, most functions that return data from an= y sort of external source including databases and text files will have quot= es escaped with a backslash. If magic_quotes_sybase is also on, a single-qu= ote is escaped with a single-quote instead of a backslash. So, for me it seems to be good, if we set magic_quotes on for GPC operation= s. Then there will be no need to check the strings returned from user input= or translate those strings with htmlspecialchars, htmlentities or addslash= es. Then we can put the strings from user input directly into the database,= without any conversion. Opposite is getting them from the database. When we leave magic_quotes_runt= ime set to off, we will get strings without slashes from the database. Then= we can handle all three cases (described in my previous e-mail) of printin= g these strings by using only htmlspecialchars function. I hope this will help for user input handling and printing out to be transp= arent and it will never touch various national special chars. As you see, it's not possible to do only some small changes, because it is = complex change and maybe a change of string handling concept used in PHPBT = until today, but probably every line of code, which is handling strings, ha= s to be changed. Is it OK to do it or do you think there is a better way, n= ot seen by me? I don't say my way is the only possible way. Jirka |
