NYCPHP Meetup

NYPHP.org

[nycphp-talk] Form field length vs. Database field length

Hans Zaunere hans at newyorkphp.com
Mon Dec 22 14:00:18 EST 2003


> We are having some trouble with submitting user data into the 
> database. We have a database with a set field length and we want to 
> be able to store user information such as name and address.  We have
checks in 
> place to prevent users from submitting a 50 charachter string when the

> db only accepts 30, but we run into problems when they submit special 
> characters.  We want to avoid xss so we call htmlspecialchars() on any

> data before we insert it into the database.  But if the field 

The best bet might be to use egress htmlspecialchars() calls.  That is
to say, only call htmlspecialchars() when you're about to display the
data, rather than before storing it.  HTML entities won't have any
negative effect on SQL statements (but yeah, use
mysql_real_escape_string() or similar).

H




More information about the talk mailing list