marklarah

Why? If html_entity_decode is simply the exact reverse of htmlentities, the only changes from the original data that would be lost would be whitespace, or unsuitable characters...which we wouldn't want to store anyway. Of course if your application has to perform lots of operations on the stored unencoded data, then yes it would make sense to store it as such. But I think for most applications (forums, blogs etc), storing it encoded seems to be a much more hassle-free way of doing it. Anyway, I appreciate the arguments you've made, thanks. For large scale applications, I will store it unencoded, but as long as I know all I'm doing with the data is displaying it, I can't see any reason not to store it encoded. Thanks!

I earnestly believe it to be, yes. I find you only actually "need" the original data in those sorts of situations far less often than you do just output it. In which scenario, the same argument can be said that you need to remember to encode on every. single. output. each. time. In any case, if it's just a question of connivence, then imo both methods are valid, and its just down to preference, and what your application calls for.

Hmm, I'm not entirely convinced that's a brilliant solution though - and what about those of us who don't template? idk, it seems there's not really any strong YOU MUST NOT DO THIS OR APACHE WILL EXPLODE kind of reasoning behind not sanitising. As long as you remember do it for every input, and have a method for getting the original data, you can't go wrong!

Hi; thanks for the responses! Just curious though... I agree there could be these situations, but then surely the inverse of the clean function would return it to its original formatting (minus any extraneous whitespace)? htmlentites is a 1to1 mapping, as is html_entity_decode, so any 'mangled' data can be returned to its original form, and then used in such situations. To my mind, it's just as easy (if not easier) to encode the data on input, rather than having to encode it each time on output, and simply running an unclean() function the odd occasion you may need to create an RSS feed or whatever. This is all of course, as matters appear to my na?ve mind.... I could perhaps be completely wrong haha. Essentially, all I'm trying to say is that for every argument made for NOT encoding data on input, the same can be said for the converse. Thanks!

Hi This is more of a general question - obviously when we have user input in our applications, the traditional defence against XSS and Injections and all that kind of thing is to validate user input (and add slashes) and then encode its output each time. This is as opposed to sanitisation. So the age-old question: What's really wrong with encoding the input, rather than the output? Then you don't have to encode data each time you call it! Say this is what my clean function would look like <?php function clean($dirty) { if ($dirty === FALSE) return ''; $dirty = htmlentities($dirty, ENT_QUOTES, "UTF-8"); return trim($dirty); } ?> and I run that on all user input before entering it into the DB. Why is this considered bad practise?

You sir, are a god amongst men. Many thanks.

Absolutely, you should keep it in MySQL, storing it in PHP files is extremely counterintuitive (and will be slow when you try to execute it and take up memory). Your best bet is to use memcached I think.

I believe this is what you're looking for http://php.net/manual/en/function.nl2br.php

Hey hey dudes So I'm fairly new to regex (I've avoided having to write my own expressions up till now lol) So I have a big expression that matches URLs, but I don't want it to match if it's proceeded by something. To boil it down and put it simply, something like this ([a-z]+)(?!( hi)) with string "hello hi" would match "hell", but how would I make it so it matches nothing? ie how do I put everything else that I'd normally test for together in a group or something, with a conditional that if everything is proceeded by something else, the whole thing returns no matches. Hope I'm making myself clear.... Thanks! Mark

Think I've got my head round your checkbox conundrum. Whilst there are probably more efficient ways of achieving what you want, the simple way is to put all the IDs contained in $result_checked into an array. Then, in your loop, have something like while($row4 = mysql_fetch_array($quer4)) { $checked = (in_array($row4[workshop_id], $myArray)) ? ' checked="yes"' : ''; echo "<input type='checkbox' name='workshop_link_1[]' value='".$row4[workshop_id]."'".$checked.">".$row4[workshop_title]."<BR>"; } or something like that, idk if that helps at all. - mark.

What are you trying to achieve? As for file hosting sites they use the tokens to determine wether the user is real and the user status. Since the services always return a file its goddamn heavy on the servers, thats why they've got plenty of them. And if I understood you correctly you are returning a file that contains text (or html or what ever) and renders it to browser, it really doesnt matter since the client must anyhow download all the data (but for small optimization you could always cache the page(s) on the server and skip the readfile part in whole). No, they're likely to be video files, and when I say echoing to the browser, that is infact what reading the file does, regardless of file type. and by his posts, there is no real concept of what file functions do. and how do throtthle bandwidth. 1) learn to code 2) Post code yer having probs with otherwise this thread will just be forgotten in a few days Actually I've been coding for 5 years now, but heavy download sites isn't something I've ever needed to dabble with until now. My simple questions still remains unanswered: isn't using fread/readfile or something of the sort a bad hog on the server, and what are the alternatives

how do download sites do it if not by reading the file? There has to be a way of controlling download speed etc

Ok readfile, whatever. How bad is using readfile though over and over again, won't that hammer the server?

Hi! I run a site the requires users to access largeish files, for download as well for streaming to the browser. It's fairly active, so assuming the worst, how bad is getting php to read the files that would be stored outside of the webroot and then getting it to echo it to a page dynamically for the browser to then read? Currently, I just have the files stored accessible to the web, but a htaccess protects them via requiring a cookie but also requires the referrer to be my site. Now I'm not totally stupid and realise those are both easily spoofed, so I'm looking for a better solution. How do the file hosting sites do it? Using a token system has to involve PHP or some other server side scripting, but then getting the server to read the file with fread() or some similar equivalent would be resource heavy, no? Is that the best way to do it?

Yes it is. I should clarify: it would need user intervention though. Otherwise any old webpage could steal your cookie file for example.