http://php.dzone.com/news/watch-your-post-save-php-post- Comments for "Watch Your POST: Save PHP POST Data as XML" en http://php.dzone.com/news/watch-your-post-save-php-post-#comment-2072 <!--paging_filter--><p>Thank you for your post Mark -- my parade continues to see sunshine.</p><p>Scrubbing input before inserting into the DB is a given and can be done after the function is run.  I don't do any DB scrubbing in the function because I currently use the function to write the POST=&gt;XML info to file.</p><p>Serializing the data is another option.</p><p>This function has worked great for me. Feel free to post your similar article to the PHP Zone! </p><p>&nbsp;</p> Wed, 26 Mar 2008 21:56:51 -0400 davidwalsh comment 2072 at http://php.dzone.com http://php.dzone.com/news/watch-your-post-save-php-post-#comment-2068 <!--paging_filter--><p>I hate to rain on your parade, but you've done a pretty mediocre job of re-inventing a wheel here.</p><p>Firstly theres no filtering of user input. If youre going to echo this to the page then you're opening it up to XSS attacks, if you're inserting into a database then you need to make sure you're escaping correctly.</p><p>Secondly (and perhaps most importantly), I'm left wondering why you needed to write this function at all? You could have used either the serialize function or JSON encoding (or no doubt a whole slew of existing libraries or code) to do a very similar thing in one line. They would be easier to parse and probably require less storage.</p><p>Then there's the really important point that hoping to parse your XML without enforcing wellformedness is just a nightmare waiting to happen. If you do insist on using XML for this, your reason is that you can parse it with other tools a later date, but with your current schema you'd need to either tokenise or regex it to all buggery for it to be reliable. Plus because you're not filtering user input theres no certainty that the user won't have added their own XML. </p> Wed, 26 Mar 2008 21:29:26 -0400 fam comment 2068 at http://php.dzone.com http://php.dzone.com/news/watch-your-post-save-php-post-#comment-2064 <!--paging_filter-->Not welformed is correct Ian, but I'm more concerned with being able to parse the data in an easy manner later on.  I can write something or find a tool that can easily parse this. Wed, 26 Mar 2008 17:09:46 -0400 davidwalsh comment 2064 at http://php.dzone.com http://php.dzone.com/news/watch-your-post-save-php-post-#comment-2062 <!--paging_filter--><p>This is an interesting concept, but the XML it generates may not be well-formed.</p><p>In the section shown below, the child elements have numeric names, but the first character of an XML element must be either an alpha char, a colon, or an underscore. </p><pre class="xml"> &lt;languages&gt; <br /> &lt;0&gt;php&lt;/0&gt; <br /> &lt;1&gt;javascript&lt;/1&gt; <br /> &lt;2&gt;java&lt;/2&gt; <br /> &lt;3&gt;css&lt;/3&gt; <br /> &lt;/languages&gt; </pre><p>&nbsp;</p> Wed, 26 Mar 2008 16:59:35 -0400 isnoop comment 2062 at http://php.dzone.com