Hello,

Thanks for all of the responses ... I am going to use mysql_real_escape_string.

Michael.


Jordi Canals wrote:
Hi, a couple of comments:


--snip--


htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'";
--snip--


Why are you using both htmlentities and htmlspecialchars? Think that
html only converts some entities while htmlentities converts all ...
so, for your purposes, apliying only one could do the job.


In the archives people suggest that using mysql_escape_string should be
used, I then found that you could globally enable magic_quotes_gpc.



magic_quotes_gpc is a generic way to getting the user data escaped,
but is not the recommended way. It's better to have magic_quotes_gpc
disabled and use a database specific method for scaping. If you use
mysql, I would recommend mysql_real_escape_string.
(mysql_escape_string is deprecated since 4.3.0)

Best regards,
Jordi.


-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to