On 9/29/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
On Thu, 28 Sep 2006 11:33:06 -0400, Eric Butera wrote: He's not actually *putting* it in a database, so isn't it useless to use a mysql_ function for this...? Maybe I misunderstand Tedd and he does use a database, as I don't see why he would need mysql_real_escape_string() for cleaning input... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Ivo, If that is the case then I am sorry for posting an irrelevant comment. I just figured somebody using mysql escaping was putting it in the DB. Tedd, Not to make a big deal out of this but are you aware of the differences on filtering input and escaping output? mysql_real_escape_string is for escaping something for the database. It doesn't filter or clean anything. Just like htmlentities escapes for html output. Use regexes for cleaning user input. A good example of this would be Zend_Filter on the Zend framework. They made methods such as getAlpha for only returning alphabetical characters. This way you clean your data to make it exactly what you want versus escaping it to make sure where you are putting it accepts it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
