Todd Trent wrote:
I need to add textarea input into a mysql database. The input can be
anything you would find in normal paragraph text -
[:alnum:][:punct:][:space:]. In this case it is likely that the input could
also include special accent characters (grave, acute, tilde, etc. - ex. é).
Is addslashes enough to reduce security/sql error issues (provided
!get_magic_quotes_gpc())? Or should I try to strip or test for "-- = < >".
This input, due to its size, is obviously not going to be used in a WHERE
clause.

Use mysql_escape_string()/mysql_real_escape_string() instead of addslashes() and you'll be fine for inserting the data into the database.


If you do not want any code within the text evaluated when you display it, run it through htmlentities()/htmlspecialchars() before displaying it (not before it's put in the database, though).

http://us2.php.net/mysql_escape_string
http://us2.php.net/htmlentities

--

---John Holmes...

Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to