bruce wrote:
not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
i expect that i'll get the same out... which is what some of the
articles i've seen have stated.. are you telling me, and are you sure,
that i'd get "foo ' cat" out instead!!????
the articles i've seen imply that if you addslashes, you also need to
stripslashes on the backend...
You're reading the wrong articles. :-)
Escaping is something you do to preserve data, period. If you have data
that is going to enter a context where it can be considered anything
other than data, it needs to be escaped. I often simplify this by
suggesting that you always escape output.
I did a podcast about this topic a few weeks ago:
http://pro-php.com/index.php?post_id=10
I also wrote a small followup blog entry:
http://shiflett.org/archive/133
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
