On Fri, 17 May 2002, Don wrote:
> I have forms that retrieve date from mysql databases and send (for
> storage) data to same databases.  I note many functions to make sure
> that the data is correct in appearance when it comes to special
> characters.
> addslashes()
> stripslashes()
> htmlspecialchars()
> htmlentities()
> get_html_translation_table(HTML_ENTITIES)
> I've read the documentation but am still confused about what to use when.
> When passing data from forms to database, which do I use?
> When retrieving data from database to display in forms, which do I use?

The basic goal is that you don't want anything being sent to your 
database's command interpreter that would result in data being taken for 

So that means that when you're sending textual data, it should be 
surrounded by quotes and any quotes inside there should be escaped 

There are different ways to make sure this gets done, and to some degree 
it's a matter of preference.

Personally, I turn magic_quotes_runtime OFF because it really creates a 
lot more work than it saves.

Then I use intval() on every integer, floatval() on every floating-point 
number, and addslashes() on every string. Then I build the SQL statement.

htmlentities has nothing to do with database operations, but is
used when sending text to browsers that might contain characters like &, 
<, and >. It escapes those characters so that they'll be shown as intended 
rather than interpreted for their special HTML meanings.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to