database programming

[Robert Hafner]

I recently finished adding a scouting database to out teams website. Please go do everything you can to break it, then tell me how you did it, so I can fix it. www.team96.org/scouting/

[deltacoder1020]

well, you probably shouldn't allow people to put HTML in the description boxes... try looking at the page for team 1020 to see what I mean.

you should run the PHP function strip_tags() on all incoming input from textboxes. also, you might considering running nl2br() on it after strip_tags to make newlines display correctly in html.

[Robert Hafner]

First of all, you are my new hero. That was cool.

Anyways, I fixed that. Of course, your team will probably need to enter new information now, since I dropped the other stuff.

Thanks.

[deltacoder1020]

One of my current projects (non-FIRST, so it's sorta on hold) is designing an e-commerce site for shareware/independent commercial software, and you wouldn't believe how much validation form submissions go through. Suffice to say that just about any input is limited to only the exact characters you would need for a response to that. For instance, an email field is only allowed the characters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ@-_.0123456789", because those are the only characters one would need for an email address.

But the one thing you never want to let people do is submit HTML tags in any form that is going to be displayed back to the user.