Many websites use databases. And databases use special characters to do things, such as mark the ends of input. For example, a website might use PHP code to look in a table of registered users. If this code doesn’t include suitable protection, nasty people can do nasty things by including the special characters in their input. (See here for examples.)
Fortunately, PHP provides ways to sanitise input by replacing such nasty characters with harmless equivalents. Unfortunately, I can’t get them to work.
It should, then, have been straightforward to sanitise the input by adapting the examples given at php.net. Several hours of out-of-cheese errors later, I wimped out. Despite the sanitised versions looking exactly as they should (so “text’ became “text’), my answer-processing code choked every time. My approach became let’s assume my website will never be attacked, so the only character I have to worry about is ‘ because Klingon uses loads of them!
PHP provides a function that removes any set of characters from a ‘victim’ string – and the result is guaranteed to be a string. So subjecting each answer to removal of ‘ would suffice. Eventually I had code that did just this. (It’s unbelievable how many typos can be made in repeating $escapedq00 = str_replace ($search, $replace, $q00); 20 times, even when using copy and paste!
So I can now sanitise answers enough for this classroom exercise. I freely admit, both here and in my code, that it’s jsut not good enough for real life. But I can now move on to the rest of the MoSCoW list. Hurrah! No more out-of-cheese errors, and the webTribble is untroubled.