You shouldn't have to call stripslashes on data coming out of the database, unless you somehow double-escaped it when being inserted. To be sure, your SQL query should look something like this (in MySQL):
INSERT INTO table SET lastname = 'O\'Reilly'; If you accidentally are double-escaping, your query would look like this: INSERT INTO table SET lastname = 'O\\\'Reilly'; When you pull the data back out of the database, you should not have any slashes except when they are actually part of the data. This means all you have to do is use $this->escape() on them from within your templates. If you are double-escaping, the first thing I would check is to make sure magic_quotes is OFF, and then manually escape the data going into the database using Zend_Db#quote(). -- Hector On Fri, Feb 19, 2010 at 2:33 PM, Jurian Sluiman <[email protected]> wrote: > Hi all, > I try to figure out what the best option is to escape my data. I have an > UTF-8 website so actually it's fine to work with the original characters > (and no need for htmlentities() or htmlspecialchars()). Nevertheless all my > data comes from a database and the data is inserted with all quotes escaped. > That means by display the texts I need for every variable a stripslashes(). > > Stripslashes() everywhere is very ugly and gives cluttered code in all my > view scripts. What's the best option to strip the slashes automatically? > Replace the escape function by stripslashes() replaces the problem by > another: $this->escape() everywhere instead of stripslashes(). Is it better > to escape the variables automatically by overriding the __set() from > Zend_View_Abstract? Another (fail prove) systems to have a smart system to > escape my data? > > Thanks in advance, > Jurian >
