I'm just now learning all the intricacies of preventing SQL injection attacks. I understand the value of using Zend_Db quoting for values that can be manipulated by users.. what I can't find, though, is a good "unescape" command.
If I have an article, for example, that I want to store and then retrieve and display, I'll quote the article before insertign it. This will, ofcourse, escape all quotes, but it will also put a set of single quotes around my entire article. When I then retrieve the article and run "stripslashes()" to unescape the quotes, it leaves the surrounding single quotes. ------------------------------------------------------------------------- <code> $article = "my article has 'very little' content"; echo $article; echo "<br />"; $article = $db->quote($article); echo $article; echo "<br />"; $article = stripslashes($article); echo $article; echo "<br />"; </code> ------------------------------------------------------------------------- this returns: ------------------------------------------------------------------------- my article has 'very little' content 'my article has \'very little\' content' 'my article has 'very little' content' ------------------------------------------------------------------------- is there something very obvious that I'm missing? Thanks, Jared -- View this message in context: http://www.nabble.com/quoteOutOf--tf2307893.html#a6416052 Sent from the Zend Framework mailing list archive at Nabble.com.
