You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ah.. thanks Chris.
If I want to compare that value I get from the database to what a user
entered,
do I escape the value they entered or add htmlspecialchars to it before
comparing it to what comes out of the database.
Sorry this is such a PHP 101 question. If you have time to respond,
please do, otherwise no worries, I am sure I will figure it out.
If you want to compare, you're doing a query - so use
mysql_real_escape_string:
$query = "select blah from table where name='" .
mysql_real_escape_string($_POST['name']) . "'";
When you print results, you use htmlspecialchars:
echo "Your search for " . htmlspecialchars($_POST['name']) . " returned
X results<br/>";
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
