Caner BULUT wrote:
Hi Guys,
I have a question if you have any knowledge about this please let me know.
I getting data from a form with POST method like following.
$x = htmlentities($_POST['y']);
.
After getting all form daha I save them into DB, I used
mysql_real_escape_string.
Don't try to home brew your own.
You'll miss stuff.
Use an input filter class that is developed by and tested by a large
number of users.
http://htmlpurifier.org/
is what I recommend.
Also, with respect to mysql_real_escape - if you use prepared
statements, escaping isn't an issue.
Personally I recommend a database extraction later.
Pear MDB2 is a good one.
It makes your code portable to other databases as long as you stick to
standard SQL (which usually is pretty easy to do).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
