sorry...here is the message On 8/19/05, areguera <alain.reguera@xxxxxxxxx> wrote: > On 8/19/05, Ben Ramsey <ramsey@xxxxxxx> wrote: > > Alain Reguera Delgado wrote: > > > you could try: > > > > > > 1. get all form variables into an array > > > > fine > > > > > 2. validate values > > > > Good, but do this step as you put the values into a separate array, > > don't put all the values into the array first and then validate them > > later... make sure the input received is input expected and then save > > only the input to the array that passes the validation/filtering tests > > yes .. that's much better .. :) > > > > > > 3. convert all values into entities using htmlentities() > > > > Why do you want to do this before saving to the database? > > Ben, I got some troubles when moving database from one server to > another, all Latin characters disappear, and the info turns a mess. > Thought for a moment a server's language configuration setting. I was > wondering by days to take this way, I thought if someone else wants > the application and occurs the same because his configuration is not > like mine. Then that solution came to me. Felt no matter what version > or configuration of mysql or other db is used or what latin char is > inserted, the data always be there for the web, in the language it > speaks. > > This step has > > absolutely no bearing on preparing the statement for insertion into a > > database. It won't protect against SQL injection. > > Also, you will never > > be able to do anything with this data other than use it for HTML output > > (unless you try to reverse the entities, which seems like an awful lot > > of work to me). > > yes, I don't like either...its not flexible. > > It's best to save the raw data as entered and escape it > > (with htmlentities() or something else) ONLY on output. > > that was the first way I used to go... but after that problem, I am not sure > > > > > As I mentioned in my last post to this thread, the best way to escape a > > string for insertion into a database (and protect against SQL injection) > > is to use the escape function for the particular database -- > > mysql_real_escape_string() in this case. You should never use > > htmlentities() to escape data before saving it to a database. Do that > > only after you've pulled data from the database and are outputting it > > somewhere (like on a Web page). > > > > > 4. build sql query (do some tests 'til get it right) > > > 5. execute the built query (with proper db function) > > > > > > by now, commas aren't a problem, they are limited between sql query's > > > quotes. If some quotes are inserted as value they are previously > > > converted to its entities and do not break the sql query. > > > > This is why you use mysql_real_escape_string(), etc. -- not htmlentities(). > > > > > as previously said in this thread, the problem is on quoting and maybe > > > on converting the values to entities, to prevent some quote break the > > > sql structure. > > > > You don't need to convert the values to HTML entities when saving to a > > database. That's not going to prevent this problem. > > could you suggest something about Latin characters and portability?. > > > > > -- > > Ben Ramsey > > http://benramsey.com/ > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
