Andrew Darby wrote:
Hello, all. I'm getting a bit confused figuring out the best way to
insert data into a db via web forms and then pull it out again safely.
I know there's lots of information out there, but I was hoping
someone could suggest a current, [easy!] best practice. Specifically,
I have the following surely common set of situations:
1. user submits info to db
--how best to screen out html / escape special characters on insert
2. info is publicly displayed
-- how best to unescape special characters for display
3. user edits their submission in form populated with their existing data
--again, to screen, but not have the escape characters multiply crazily
4. user updates db
--again, without additional of exciting new escape characters
I'm getting a bit mixed up through all the stages, and if someone
would take pity and walk me through this, I, um, would thank you
sincerely.
TIA,
Andrew
When inserting, use this:
<?php
$text = addslashes(htmlspecialchars($text));
?>
When extracting, use this:
<?php
$text = stripslashes($text);
?>
htmlspecialchars does this:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
addslashes does this:
Returns a string with backslashes before characters that need to be
quoted in database queries etc. These characters are single quote ('),
double quote ("), backslash (\) and NUL (the NULL byte).
stripslashes strips all slashes added by addslashes.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
