Bastien Koert wrote: > use mysql_real_escape_string > > bastien >> Date: Fri, 14 Dec 2007 08:40:47 -0600> From: awilliam@xxxxxxxxxxxxxxxx> To: php-general@xxxxxxxxxxxxx> Subject: how to handle inserting special characters into a mysql field> > I'm going to be inserting data from a PHP form into a mysql field. The > data could contain special characters like < > ' " \ /, etc. How do I > handle that? just $data = addslashes(htmlspecialchars($data)); before > the insert query? because later on the data will be read back from the > mysql db and I don't want it to contain a special character that would > break the PHP script.> > -- > PHP General Mailing List (http://www.php.net/)> To unsubscribe, visit: http://www.php.net/unsub.php> > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 I think both of yo missed the OPs point. He wants it to be safe when he prints out the content into and HTML page. Hence, he wants < > to be safe. Granted, what you suggest is correct for CYA'ing when you insert into the DB. But, what I think the OP really wants is the killing HTML characters. OP I would do two things. 1. when inserting your data into your SQL string, escape it using mysql_real_escape_string or escape_string() if you are using the mysqli extension 2. when you pull your data out of the DB to be displayed on screen, pass it through htmlspecialchars() or htmlentities() htmlspecialchars() uses a subset of htmlentities(), your choice which one to use. I would not use the addslashes() anywhere. The first step above, eliminates the need to use addshlashes() -- Jim Lucas "Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them." Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
