[juggernaut]

I'm a beginner (just the first week) and encountered a problem with my message board script .
I'd be very glad if someone could list some functions that could help me.
I want to display any code as it is written without parsing it..

[Nico]

Have a look at htmlspecialchars().

[juggernaut]

Does it replace all `unsafe` symbols?

[bd_coder]

Quote:

Originally Posted by juggernaut

Does it replace all `unsafe` symbols?

If you only afraid of HTML tags and <script></script> type exploits , then you can use htmlspecialchars() as nico_swd said.

But for avoiding database related threats (SQL injection) you can escape unsafe characters using addslashes() or you can also use mysql_real_escape_string() for MySQL database.

[juggernaut]

addslashes() adds backslashes before quotes, right?
Would htmlentities() do the same also?

[Nico]

Quote:

addslashes

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

http://us2.php.net/manual/en/function.addslashes.php

Quote:

htmlentities

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

Like htmlspecialchars(), the optional second quote_style parameter lets you define what will be done with 'single' and "double" quotes. It takes on one of three constants with the default being ENT_COMPAT:

http://us2.php.net/manual/en/function.htmlentities.php

[UnrealEd]

you could use the get_html_translation_table function as well:

PHP Code:

$trans = get_html_translation_table(HTML_ENTITIES);

$str = "Hallo & <Frau> & Krämer";

$encoded = strtr($str, $trans);

// output = Hallo &amp; &lt;Frau&gt; &amp; Kr&auml;mer 

UnrealEd