| Author |
 Topic  |
|
|
bjlt
Senior Member
1144 Posts |
 Posted - 05 December 2002 : 12:50:13
|
in function chkString(pString,fField_Type) there's Case "archive" and Case "SQLString" I think these two should be identical as they are input strings to the database. in "SQLString" there's
fString = HTMLEncode(fString)
while in "archive" there's not
first I can't figure out why fString = HTMLEncode(fString) is needed, second if it's needed, don't we also need it in "archive"? |
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 05 December 2002 : 13:02:33
|
| when you are archiving, the data has come directly from the db so there is no need to do the etra steps, where as the "SQLString" fieldtype is for dealing with entered text from the browser. |
 |
|
|
bjlt
Senior Member
1144 Posts |
Posted - 05 December 2002 : 13:05:42
|
ah i see. thanks.
I'm afraid I still don't know why we need HTMLEncode? |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 05 December 2002 : 13:09:10
|
| try it without, you will soon find out |
|
|
|
David K
Junior Member
494 Posts |
Posted - 05 December 2002 : 13:20:20
|
htmlencode prvents the use of html tags in the code, and it sets it so that you'll be able to see the actual code when a uses post something with html, for example
<html>
</html> |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 06 December 2002 : 02:53:13
|
Thanks, I know what HTMLEncode does.
my question is, why do we need it in Case SQLString.
I see in other cases it is
if strAllowHTML <> "1" then
fString = HTMLEncode(fString)
end if
but in case SQLString it's just
fString = HTMLEncode(fString).
Is it true that we don't need HTMLEncode data to be entered to the database, if it's not to be shown on webpages or we will allow html tags. then I can't use chkString("",SQLString) on non-forum codes or I need one with the HTMLEncode line removed?
maybe a guide to function chkString is helpful.
|
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 06 December 2002 : 04:08:29
|
| I have no idea what you mean |
|
|
|
bjlt
Senior Member
1144 Posts |
Posted - 06 December 2002 : 07:52:59
|
I meant chkString("",SQLString) is designed for snitz as it uses fString = HTMLEncode(fString). generally we don't need fuctions like HTMLEncode for data to be entered into the database, right?
then why in other cases in chkString, it's
if strAllowHTML <> "1" then
fString = HTMLEncode(fString)
end if
why in SQLstring we don't need to check if strAllowHTML = 1?
with all other types (cases) in chkString, for what reason we need
HTMLEncode(fString) in case SQLstring? |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 06 December 2002 : 08:00:22
|
| why don't you try removing it and see, this has always been in the code since i started working with it, so I have no idea why it was originally added |
|
|
|
David K
Junior Member
494 Posts |
Posted - 06 December 2002 : 08:27:39
|
| some functions (mostly admin ones) remove the HTML code when saving and not when displaing, to save resources, I would reccvommend you to make a new parameter for chkstring, and make it do what you want, and when you need to use it and not the normal SQLString, use the one you made! |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
Posted - 06 December 2002 : 08:28:10
|
| It's done the way it's done so that data already in the database won't need to be changed if the admin changes whether HTML is turned on or off. Basically we store the data in the database the same whether HTML is turned on or off. |
|
|
|
David K
Junior Member
494 Posts |
Posted - 07 December 2002 : 15:23:51
|
| exactly, it's safer to save html in an encoded format and later decode it if HTML is allowed, then to encode it when loading (should be much faster as well) |
|
|
| |
Topic |
|
Topic Locked
