NYCPHP Meetup

[George Webb]

J.,

	Don't forget that if you're outputting your results
to a web (HTML) page, you need to run htmlspecialchars() on
them so that any HTML entities will appear properly:

foreach ( $arr as $key => $value ) {
	$key = htmlspecialchars ( $key );
	$value = htmlspecialchars ( $value );
	echo "Key: $key; Value: $value<BR>\
";
}


	As a shortcut, if you know your "keys" are all already
safe for HTML, you can skip the htmlspecialchars() for each $key,
and just escape the "values."  (But often you never *really* know;
someone could easily spoof your form and repost their own key/value
pairs.)

	A lot of web applications neglect this HTML escaping
issue, which causes problems, including security risks!  Example:
the user could type a <SCRIPT> block into one of the input fields,
which, when you echo it back un-escaped, would cause it to execute
under the authority of *your* webserver's domain!

	In general, unless you know that your text data is valid
(and safe!) HTML, you almost (?) always should run htmlspecialchars()
on it before sending it to a web browser.  In addition, you might
also want to use nl2br() to add appropriate line breaks.

	Regarding Greg's post:

$arr = $HTTP_POST_VARS;    // or is it $arr[] = $HTTP_POST_VARS;

the comment is not correct.  $array = $other_array is correct.
Plus, with PHP > 4.1.0, $_POST works better than $HTTP_POST_VARS,
which is deprecated.  Also, you can modify the built-in $_POST
array just fine, in my experience; no need to copy it to modify it.


Best, George.	

George Webb
gw.nyphp at gwprogramming.com