Your method of outputting data to the browser...

[play_]

I was just discussing with someone.

Say i have a form and it has a nickname input field, and any character can be inputed into the nickname field (<, *, $, etc)

But, on my sql table, the 'nickname' field is VARCHAR(16), meaning it can only hold 16 characters.

Whenever i wanna output the nickname to the browser, i have to use htmlentities($row['nickname']), because if someone's nickname is '< b> something < /b>', that would get parsed and 'something' would be shown in bold.

But, because the sql field is VARCHAR(16), i can't use html_entity_decode($data) when inserting data into the table because, if the input field has characters like <, it would get converted to &gt;, which would use 4 characters out of the 16, instead of just 1.

So how do you guys do it?
Do you use htmlentities() whenever outputting data to the browser?

[Stopofeger]

Hi there,
why would u want to html tags in a username field?
u can strip the html tags easily. As u have a very small field for username(16).
its better to strip all the tags instead of converting it.
and btw, use add_slashes() before putting data into database. this will secure u from sql injection attacks. Just use strip_slashes() to remove slashes before outputting the data into browser.

Caution: dont forget to turn off magic_quotes_gpc. this causes more trouble rather then helping u out

[genericnumber1]

If you must stick with 16 characters.. then I suppose there is no other way. As stated you could strip_tags(), or you could do as you are currently.

I don't suppose it is a common problem, people tend to be picky about what characters are allowed in nicknames. Since nicknames and similar closely filtered things (email?) are pretty much the only types of information to be stored in the small length fields, it's not surprising that this isn't a common problem. When you really want to filter raw text itself (eg. not matching just for alphanum) it's in the larger mysql fields... that would be why people might not be able to relate to your problem.

PS:
I'd suggest [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url] over add_slashes() for avoiding sql injection

[play_]

Thanks guys.
I don't want to use strip_tags() because i want the user to be able to have any character in his username(it's temporary anyways, it's for a pastebin)


and this is my connection script to the database:



[code]define ('DB_USER', 'example');
define ('DB_PASSWORD', 'example');
define ('DB_HOST', 'localhost');
define ('DB_NAME', 'example');

$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die('ooops.');
mysql_select_db (DB_NAME) OR die (mysql_error());



//function for escaping and trimming data
function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
} return mysql_real_escape_string(trim($data), $dbc);
}[/code]

Does that seem safe to you guys?

[conker87]

Hmm, if magic_quotes are on, don't they automatically add slashes to the POST'ed data anyway?

[ToonMariner]

yep.

I think what play wants is to restrict the user to having 14 charcters in their nick name BUt allowing them to make them bold, italic, illegible etc.

IN that case allow MORE characters in the database field for their nickname (hell go 255!) then when they submit use something like

[code]
if (
strlen(strip_tags($_POST['nickname'])) > 16
)
{
// cancel the update
}
else
{
// do the update
// use addslashes anyway - even if magic quotyes are on so long as you use
// stripslashe on the output it won't matter too much.
// better to check and use if magic quotes is off but if you aint sure use em.
}
?>
[/code]