hey chris... thanks!! but what do you mean by "...escape output!!" is that output of the query, which is input to the db? as i understand it, you escape the query vars, after filtering/validation, that you're going to touch the db with... (insert/update/select) am i on your same wavelength?? -bruce -----Original Message----- From: Chris Shiflett [mailto:shiflett@xxxxxxx] Sent: Thursday, September 22, 2005 7:15 PM To: bedouglas@xxxxxxxxxxxxx Cc: 'Chris W. Parker'; php-general@xxxxxxxxxxxxx Subject: Re: basic user/input form questions... more validation! bruce wrote: > not sure i agree with this one.. if i put "foo \' cat" in a db tbl... > i expect that i'll get the same out... which is what some of the > articles i've seen have stated.. are you telling me, and are you sure, > that i'd get "foo ' cat" out instead!!???? > > the articles i've seen imply that if you addslashes, you also need to > stripslashes on the backend... You're reading the wrong articles. :-) Escaping is something you do to preserve data, period. If you have data that is going to enter a context where it can be considered anything other than data, it needs to be escaped. I often simplify this by suggesting that you always escape output. I did a podcast about this topic a few weeks ago: http://pro-php.com/index.php?post_id=10 I also wrote a small followup blog entry: http://shiflett.org/archive/133 Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php