To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm > -----Original Message----- > From: Ben Edwards [mailto:funkytwig@xxxxxxxxx] > Sent: 26 January 2005 10:15 > > On Tue, 25 Jan 2005 17:02:21 -0800, Chris > <listschris@xxxxxxxxxxxxxxx> wrote: > > You should probably use get_magic_quotes_runtime() , as _gpc only > > applies to GET/POST/COOKIE, > > > > htmlspecialchars is needed so the HTML can be parsed properly: > > So this is this only done to stuff that is to be displayed on > a web page? What happens if it is done to stuff that is > (possibly) also passed through addslashes and written to the > database. You get HTML entities in your database. This may not matter if all you do is use your database to make Web pages, but it's generally regarded as better form to store the text in clear in the database and convert it to the appropriate format for display at the time you want to display it. > Also douse it matter what order > htmlspecialcharacters/addslashes??? Yes. htmlspecialchars(addslashes('"')) => \" addslashes(htmlspecialchars('"')) => " > Everything that comes from the database (regardless of what > is done to it next) is passed through the following function. > > function unprep( $text ) { > // Take data coming from the database an get it ready to > be presented > // to the user. > if ( get_magic_quotes_gpc() ){ This should be magic_quotes_runtime(), since you are dealing with data obtained from the database at run time, not data passed via Get, Post or Cookie. > $result = stripslashes($text); > } else{ > $result = $text; > } > $result = htmlspecialchars( $result ); > return $result; > } > And before anything is written to the database it goes > through the following function. > > function prep( &$text ) { > if ( get_magic_quotes_gpc() ) { > return $text; > } else { > return addslashes($text); > } > } That one looks good to go, assuming your database uses \ as an escaping character. > > But I am still getting the \', \\' thing happening. One of > my problems is I am not sure at how to reliably look at the > data at various stages. If I do echo $value and it has \' in > it is '\ displayed or or is ' displayed. If you echo a value that really does contain \', you will get \' displayed. Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: m.ford@xxxxxxxxxxxxxx Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
