On Fri, 17 May 2002, Don wrote: > I have forms that retrieve date from mysql databases and send (for > storage) data to same databases. I note many functions to make sure > that the data is correct in appearance when it comes to special > characters. > > addslashes() > stripslashes() > htmlspecialchars() > htmlentities() > get_html_translation_table(HTML_ENTITIES) > > I've read the documentation but am still confused about what to use when. > > When passing data from forms to database, which do I use? > When retrieving data from database to display in forms, which do I use?
The basic goal is that you don't want anything being sent to your database's command interpreter that would result in data being taken for commands. So that means that when you're sending textual data, it should be surrounded by quotes and any quotes inside there should be escaped properly. There are different ways to make sure this gets done, and to some degree it's a matter of preference. Personally, I turn magic_quotes_runtime OFF because it really creates a lot more work than it saves. Then I use intval() on every integer, floatval() on every floating-point number, and addslashes() on every string. Then I build the SQL statement. htmlentities has nothing to do with database operations, but is used when sending text to browsers that might contain characters like &, <, and >. It escapes those characters so that they'll be shown as intended rather than interpreted for their special HTML meanings. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
