Brad Bonkoski wrote:
Looks good to me, just make sure you use:
http://www.php.net/manual/en/function.stripslashes.php
this is bad advice...
if you have to dump that information back to the users.
(you might want to check out: addslashes() to add the slashes before
having to use stripslashes() and/or addslashes() when putting stuff
into the DB and/or when outputting stuff coming from the database
indicates that there is something (subtly?) wrong with the code in question.
your DB insert, just to keep those things under your command)
1. make sure add_magic_quotes [or whatever it's called exactly]
(and all it's siblings) are off.
2. use mysql_escape_string() or mysql_real_escape_string() [preferred] to
escape data begin put into the DB
3. use something like htmlentities() when displaying stuff in the browser
coming from the DB - this is dependent on what exactly you are displaying and
in what context -you don't want to entitize HTML that is meant to be used as HTML
(but then you would want to entitize the same HTML if you were displaying the HTML
in a textarea for editing purposes... always beware of cross-site-scripting vulnerabilities,
which comes down to:
1. clean & validate your input
2. use correct escaping when outputting (e.g. outputting to the DB, outputting
to the browser, etc)
oh read all of phpsec.org - that site goes to great pains to explain the
security issues inherent in [not] escaping/validating input/output.
-Brad
afan@xxxxxxxx wrote:
Hi to all!
After the form is submitted, some fields are filled with single and/or
double quote info (like: 1'2"x2'4", or sky's blue, or "cool" stuff).
I validate what I got using mysql_real_escape_string() and then store the
result in MySQL. And, it will be stored as:1\'2\"x2\'4\", and sky\'s
blue,
and \"cool\" stuff.
Is this correct way or "correct" way will be to convert quotes in html
entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)?
Thanks for any thoughts!
-afan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php