Re: basic user/input form questions... more validation!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



bruce wrote:
i would agree, and didn't think it made sense.. but i don't know what you
mean by the phrase 'escape all output'!! i don't see the need to escape all
output from the mysql db/tbl... so i'm not sure you meant this.

Output can be (among other things):

* Your script => MySQL
* Your script => User's browser
* Your script => Shell

Anything that leaves the realms of your PHP script is considered output from that script, and should be escaped.

* Output from your script to MySQL should be escaped with mysql_real_escape_string() * Output from your script to the user's browser should be escaped with htmlspecialchars() * Output from your script to the shell should be escaped with escapeshellcmd() and escapeshellarg()

[snip]
as fars as getting data from the mysql db/tbl, i'd simply use the sql
command/query. i'd extract the resulting data, and use the data in vars that
i've defined to be the specific data type.

And hopefully htmlspecialchars() it if you intend outputting it to the user's browser...

--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux