RE: [PHP-DB] validate/sanitize data
see htmlentities function in the manual http://ca3.php.net/manual/en/function.htmlentities.php bastien From: Todd Trent [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [PHP-DB] validate/sanitize data Date: Wed, 17 Nov 2004 15:06:55 -0500 I need to add textarea input into a mysql database. The input can be anything you would find in normal paragraph text - [:alnum:][:punct:][:space:]. In this case it is likely that the input could also include special accent characters (grave, acute, tilde, etc. - ex. é). Is addslashes enough to reduce security/sql error issues (provided !get_magic_quotes_gpc())? Or should I try to strip or test for -- = . This input, due to its size, is obviously not going to be used in a WHERE clause. Todd Trent VP Hogfish Design 2550 26th Street West Bradenton, FL 34205 Tel: 941-749-0144 url: www.hogfishdesign.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] validate/sanitize data
Todd Trent wrote: I need to add textarea input into a mysql database. The input can be anything you would find in normal paragraph text - [:alnum:][:punct:][:space:]. In this case it is likely that the input could also include special accent characters (grave, acute, tilde, etc. - ex. ). Is addslashes enough to reduce security/sql error issues (provided !get_magic_quotes_gpc())? Or should I try to strip or test for -- = . This input, due to its size, is obviously not going to be used in a WHERE clause. Use mysql_escape_string()/mysql_real_escape_string() instead of addslashes() and you'll be fine for inserting the data into the database. If you do not want any code within the text evaluated when you display it, run it through htmlentities()/htmlspecialchars() before displaying it (not before it's put in the database, though). http://us2.php.net/mysql_escape_string http://us2.php.net/htmlentities -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] validate/sanitize data
http://us2.php.net/mysql_escape_string http://us2.php.net/htmlentities thanks guys, great help. Todd Trent VP Hogfish Design 2550 26th Street West Bradenton, FL 34205 Tel: 941-749-0144 url: www.hogfishdesign.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
