On Fri, December 14, 2007 8:40 am, Adam Williams wrote: > I'm going to be inserting data from a PHP form into a mysql field. > The > data could contain special characters like < > ' " \ /, etc. How do I > handle that? just $data = addslashes(htmlspecialchars($data)); before > the insert query? because later on the data will be read back from > the > mysql db and I don't want it to contain a special character that would > break the PHP script. The term "special characters" means different characters in different contexts. The characters that are special to an IBM printer and those that are special to HTML and those that are special to RSS and those that are special to MySQL are all DIFFERENT sets of characters. In addition, those that are "special" to your business application, if any, could add yet another set of "special characters" that you need to worry about. Here is the rough outline of what you SHOULD do, imho: #1. When the data is INPUT from the user via GET/POST or any other external source, first and foremost you want to FILTER it to be sure it fits your BUSINESS LOGIC needs. We cannot tell you exactly what your needs are for your business logic, but we can say that a Guiding Principle should be to specify exactly which characters ARE allowed, and only accept those characters. This is very different in a subtle way from trying to "outlaw" the bad characters -- And it's crucial to "get it right" by only allowing the "good" characters. This is called FILTER INPUT. #2. Right before you insert/update to MySQL, use: $data_sql mysql_real_escape_string($data); Then insert/update using '$data_sql' instead of '$data' mysql_real_escape_string WILL do the right thing for escaping the characters that are special to MySQL. #2A. An alternative to #2 is to use prepared statements so that the "$data" is handled distinct from the SQL query keywords, and then you don't need to use mysql_real_escape_string because MySQL *knows* which parts are data, and which parts are SQL keywords. #3. At the point that you output your data to HTML, or RSS, or TCP/IP over Carrier Pigeon protocol, you want to ESCAPE OUTPUT using a function suitable for the output medium. For html, you could use: $data_html = htmlentities($data); echo $data_html; It is important not to try to do this "too early" (say in step #2) because then you just have pre-escaped data in your database for an output medium that you may not actually be using someday down the road. You want to keep your actual data pristine and clean of output escaping -- Escape it right before you output it, and then you can use the same DB for *other* media with *other* sets of special characters. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
