Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




You use mysql_real_escape_string for queries on the way in.

$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";

You use htmlspecialchars on the way out:

$value = htmlspecialchars($row['name']);


--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Ah.. thanks Chris.
If I want to compare that value I get from the database to what a user
entered,
do I escape the value they entered or add htmlspecialchars to it before
comparing it to what comes out of the database.
Sorry this is such a PHP 101 question. If you have time to respond,
please do, otherwise no worries, I am sure I will figure it out.

If you want to compare, you're doing a query - so use mysql_real_escape_string:

$query = "select blah from table where name='" . mysql_real_escape_string($_POST['name']) . "'";


When you print results, you use htmlspecialchars:

echo "Your search for " . htmlspecialchars($_POST['name']) . " returned X results<br/>";

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux