Brad Bonkoski wrote:
Looks good to me, just make sure you use:
http://www.php.net/manual/en/function.stripslashes.php
if you have to dump that information back to the users.
(you might want to check out: addslashes() to add the slashes before
your DB insert, just to keep those things under your command)
-Brad
No, no, no. Bad coder.
Correct way is to escape the data being put into your db with
mysql_real_escape_string(), and have magic_quotes OFF. There is no need
to stripslashes() when retrieving the data (and you'll end up stripping
slashes that are supposed to be in the data). htmlentities() is better
used for displaying data (or passing it from one page to the next),
pretty useless for db entries.
Always, always, always...
mysql_real_escape_string()
Bare minimum.
afan@xxxxxxxx wrote:
Hi to all!
After the form is submitted, some fields are filled with single and/or
double quote info (like: 1'2"x2'4", or sky's blue, or "cool" stuff).
I validate what I got using mysql_real_escape_string() and then store the
result in MySQL. And, it will be stored as:1\'2\"x2\'4\", and sky\'s
blue,
and \"cool\" stuff.
Is this correct way or "correct" way will be to convert quotes in html
entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)?
Thanks for any thoughts!
-afan
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
