Re: [PHP] storing single and double quote in MySQL

Mon, 22 May 2006 10:02:27 -0700 

Brad Bonkoski wrote:

Looks good to me, just make sure you use:
http://www.php.net/manual/en/function.stripslashes.php


this is bad advice...


if you have to dump that information back to the users.

(you might want to check out: addslashes() to add the slashes before 


having to use stripslashes() and/or addslashes() when putting stuff
into the DB and/or when outputting stuff coming from the database
indicates that there is something (subtly?) wrong with the code in question.


your DB insert, just to keep those things under your command)


1. make sure add_magic_quotes [or whatever it's called exactly]
(and all it's siblings) are off.

2. use mysql_escape_string() or mysql_real_escape_string() [preferred] to
escape data begin put into the DB

3. use something like htmlentities() when displaying stuff in the browser
coming from the DB - this is dependent on what exactly you are displaying and
in what context -you don't want to entitize HTML that is meant to be used as 
HTML
(but then you would want to entitize the same HTML if you were displaying the 
HTML
in a textarea for editing purposes... always beware of cross-site-scripting 
vulnerabilities,
which comes down to:

1. clean & validate your input
2. use correct escaping when outputting (e.g. outputting to the DB, outputting
to the browser, etc)

oh read all of phpsec.org - that site goes to great pains to explain the
security issues inherent in [not] escaping/validating input/output.



-Brad

[EMAIL PROTECTED] wrote:


Hi to all!
After the form is submitted, some fields are filled with single and/or
double quote info (like: 1'2"x2'4", or sky's blue, or "cool" stuff).
I validate what I got using mysql_real_escape_string() and then store the

result in MySQL. And, it will be stored as:1\'2\"x2\'4\", and sky\'s 
blue,

and \"cool\" stuff.
Is this correct way or "correct" way will be to convert quotes in html
entities? If yes, means have to use htmlentities($Size, ENT_QUOTES)?

Thanks for any thoughts!

-afan


 





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to