Re: mysql_real_escape_string() question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
> Though I confess, I'm sometimes at a loss how to properly escape
> certain data for certain situations...
> 
> Here's an example:
> Take the Subject of an email.
> 
> Sure, I've sanitized it to be sure there are no newlines for header
> injection.
> 
> But now how do I properly escape it to be sure it's a kosher email
> subject?
> 
> Where's the PHP function smtp_escape()?

Some contexts don't require/support escaping. It's a bummer in the sense
that it places more responsibility on your filtering, but that's about it.

In several cases, ctype_print() can be used as a nice defense in depth
mechanism to make sure there are no newlines or carriage returns (or
anything else that isn't printable).

> I'm looking for a guide, a chart, a grid, an organized systemic
> documentation of what data should be escaped how as it travels
> through the "glue" that is PHP...

That's a great idea. Want to write it? :-) I'd be happy to help.

Chris

-- 
Chris Shiflett
http://shiflett.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux