Ben Dunlap wrote:
You can use http://us.php.net/mysql_real_escape_string to escape the
input.
[8<]
You should prep your data for insertion into the data by using a tool
that formats it strictly for the database. In the ops case
mysql_real_escape_string() is the correct tool for the job.
What about using prepared statements? This is my preferred method of
"escaping output" when I'm using variables in a database query. Of
course the ease and convenience of this method will depend to a great
extent on what version of PHP is available on the server.
For the OP, have you read up much on SQL injection? If not, here's a
decent place to start: http://www.owasp.org/index.php/SQL_injection
Ben
Prepared statements are what I use.
-=-
The problem I have with htmlentities is that the entities are only
guaranteed for html. Many of the entities do not work in other sgml or
xml applications, it is better to just use the numbered entity (IE
  for a non breaking space) or for things like smart quotes,
possessive apostraphe's, etc. - the proper utf8 character directly (make
sure to serve document as utf8 encoded and that your database is set to
utf8)
I found that out the hard way, and had to redo a lot of stuff where I
previously used the php htmlentities function. Using the function to
spit out html is fine, but to write functions / classes you can re-use
in non html documents, you should avoid it all together.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
