Don: > I have forms that retrieve date from mysql databases and send (for > storage) data to same databases. I note many functions to make sure > that the data is correct in appearance when it comes to special > characters. > > addslashes() > stripslashes() > htmlspecialchars() > htmlentities() > get_html_translation_table(HTML_ENTITIES) > > When passing data from forms to database, which do I use? > When retrieving data from database to display in forms, which do I use?
A question similar to this was just asked by Dennis (Subject: Re: [PHP] forms into database and visa versa) I'll copy the answer I gave there into here... > It's a good idea to validate all data you're sticking in before you > do. For example, if you have a numeric field, you don't want the > person to be able to submit letters in that field. So, always check > that the data is formatted the way you want it to be before sending it > to the database. > > I usually use preg_replace() to remove undesireable characters. > > If you want text to go into a field and want people to be able to > have quotes and other such items in there, then use addslashes(). But, it sounds like you're concerned about characters in the database coming out properly in the HTML you generate. So, if someone stored "<" in the database, you want it to show up as "<" in your HTML. That's what htmlspecialchars() is for. Run your text coming OUT of the database through that. Now, if you're then going to have users edit that data in a form and resubmit it to the database, you need to convert the HTML entities back to standard ascii characters. Here's a simple way to do that: $replace['&'] = '&'; $replace['<'] = '<'; $replace['>'] = '>'; $replace['"'] = '"'; $UserInput = strtr($UserInput, $replace); --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php