Todd Trent wrote:
I need to add textarea input into a mysql database. The input can be
anything you would find in normal paragraph text -
[:alnum:][:punct:][:space:]. In this case it is likely that the input could
also include special accent characters (grave, acute, tilde, etc. - ex. é).
Is addslashes enough to reduce security/sql error issues (provided
!get_magic_quotes_gpc())? Or should I try to strip or test for "-- = < >".
This input, due to its size, is obviously not going to be used in a WHERE

Use mysql_escape_string()/mysql_real_escape_string() instead of addslashes() and you'll be fine for inserting the data into the database.

If you do not want any code within the text evaluated when you display it, run it through htmlentities()/htmlspecialchars() before displaying it (not before it's put in the database, though).


---John Holmes...

Amazon Wishlist:

php|architect: The Magazine for PHP Professionals –

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to