ok. I just made one test and if you can then explain something to me:
I entered in form (textarea)
afan's "crazy" web
and stored in db using mysql-real_escape_string().
in DB, it's stored with slashes:
afan\'s \"crazy\" web
Then I pulled that from DB on three different ways:
$query = mysql_query("select test from dbtest where rec_id = 5");
$result = mysql_fetch_array($query);
echo $result['gen_value']; // gives afan\'s \"crazy\" web
echo stripslashes($result['gen_value']); // gives afan's "crazy" web
echo htmlentities($result['gen_value']); // gives afan\'s \"crazy\" web
if stripslashes() is not correcct to use - what then?!?
-afan
> afan@xxxxxxxx wrote:
>> after these very helpfull comments, I rad (again) Shiflett's (and few
>> others) Security articles about filtering input and output. And more I
>> read - less is clear :(
>>
>> Before, I used addslash() before I insert data in database and
>> strislshe()
>> to show them on screen.
>>
>> Later found it's not good and start using mysql_real_escae_string() to
>> add
>> to DB and stripslashe() to show on screen.
>
> If you have to stripslashes() when you pull data out of the db, you're
> doing something wrong (like running with magic_quotes* on, therefore
> double escaping your data).
>
>> But, also, I thought, mysql_real_escape_string() is "filter" for
>> everything, e.g. lets have three links (add, delete, edit) as
>
> mysql_real_escape_string() *only* escapes the data which needs to be
> escaped for your particular db version.
>
>> <a href=index.php?action=add&rec_id=$rec_id>Add new</a>
>> <a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
>> <a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
>> and was doing this way:
>> #index.php
>> <?php
>> if($_GET['action'])
>> {
>> $action = mysql_real_escape_string($_GET['action']);
>> $rec_id = mysql_real_escape_string($_GET['rec_id']);
>> switch($action)
>> {
>> case 'add':
>> // add new record
>> break;
>>
>> case 'edit':
>> // edit record
>> break;
>>
>> case 'delete':
>> // delete record
>> break;
>> }
>> }
>> ?>
>>
>> it means that $action I will never store in DB, neither show on screen.
>> I
>> then wrong to
>> $action = mysql_real_escape_string($_GET['action']);
>> or I should
>> $action = htmlentities($_GET['action']);
>> or
>> $action = $_GET['action'];
>> is just fine?
>
> If you're not going to display it or insert it...if all you're doing is
> checking the value of it, then you don't need to modify it.
>
> --
> John C. Nichel IV
> Programmer/System Admin (ÜberGeek)
> Dot Com Holdings of Buffalo
> 716.856.9675
> jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
