subject:"\[PHP\-DB\] escape chars continued"

[PHP-DB] escape chars continued

2004-03-22 Thread matthew perry

Filip de Waard wrote:

On Mar 22, 2004, at 12:17 PM, Jimmy Brock wrote:

Matt, love your show!

Use the addslahses function to escape '  \ characters. See
http://php.net/addslashes for details.


Actually, you shouldn't use addslashes, but a database specific 
function like mysql_escape_string().

http://phundamentals.nyphp.org/PH_storingretrieving.php

Regards,

Filip de Waard

Jimmy Brock

Matthew Perry [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I am trying to allow my users to enter quotes in their strings.  For
instance instead of writing:2 inch rod, they can write 2  rod.  
The
problem is, of course, that  ends the string and all that is saved is
any value before the .  How do I get around this without using 
textarea?


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Actually I think the problem is before you can use either addslashes or 
mysql_escape_string() functions.  The value with  or ' never reaches 
the database.  I think I need a way to ignore quotes for input values in 
HTML. 

Say I have this:
input type=text size = 2 name=Q
And my user enters:2  copper tubing
The value for Q will be: 2
When I add it to the database with addslashes there will be no , ' or \ 
to add a slash to!
And when I retreive it from the database and use mysql_real_escape() 
there will be the same problem.

Thank you for your time, and yes I am the real Matthew Perry of course.

Matthew Perry

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] escape chars continued

2004-03-22 Thread John W. Holmes

From: matthew perry [EMAIL PROTECTED]

 Actually I think the problem is before you can use either addslashes or
 mysql_escape_string() functions.  The value with  or ' never reaches
 the database.  I think I need a way to ignore quotes for input values in
 HTML.

 Say I have this:
 input type=text size = 2 name=Q
 And my user enters:2  copper tubing
 The value for Q will be: 2

No, the value of $Q will still be 2  copper tubing, but if you tried to
show that value inside of a text box again, you'd lose everything after the
second quote, because you end up with this:

input type=text size=2 name=Q value=2  copper tubing

HTML interprets the value as 2  and the rest of the value as an
unrecognized attribute.

The solution is to run htmlentities() on the value to convert double quotes
into quot; so you end up with

input type=text size=2 name=Q value=2 quot; copper tubing

Which will appear correctly to the user.

Note that if you deal with text that's going to be shown on HTML pages,
running the text through htmlentities($value,ENT_QUOTES) will prevent the
text from being used for cross site scripting and SQL injection.

---John Holmes...

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DB] escape chars continued

Re: [PHP-DB] escape chars continued

2 matches

Site Navigation

Mail list logo

Footer information