Clicked on the search query on php.net and got to one website after another
which then lead to this website
http://us4.php.net/manual/en/function.mysqli-real-escape-string.php
Now, I see the problem, the i was added to the word, mysql. So,
probably clicked on the wrong link somewhere
Ah, when I enter the mysql_escape_string in the search for textbox, I
get a mysqli_escape_string webpage So, it wasn't me that make a mistake
after all I didn't know there is mysqli as well.
Scott F.
Scott Fletcher [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Clicked on
Torsten Roehr mailto:[EMAIL PROTECTED]
on Wednesday, June 30, 2004 10:03 AM said:
1. get data from DB
2. convert for valid HTML output (stripslashes(), htmlentities())
3. output as HTML (into the form elements)
4. get POST data
5. escape POST data and insert into DB again
two comments:
On Wed, 30 Jun 2004 19:02:50 +0200, Torsten Roehr [EMAIL PROTECTED] wrote:
Scott Fletcher [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I'm using data that goes from the HTML textbox to PHP to MYSQL to PHP to
HTML textbox. The only trouble I have is to escape the apostrophe
On Wed, 30 Jun 2004 19:32:29 +0200, Red Wingate [EMAIL PROTECTED] wrote:
use quot; to display the data in the input-text element and undo this
before inserting it into the database
function quoteToHtml ( $string ) {
return str_replace( '' , 'quot;' , $string );
}
Much better to use
Justin Patrin [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Wed, 30 Jun 2004 19:02:50 +0200, Torsten Roehr [EMAIL PROTECTED]
wrote:
Scott Fletcher [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I'm using data that goes from the HTML textbox to PHP to MYSQL to
Chris W. Parker [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]01.ati.local...
Torsten Roehr mailto:[EMAIL PROTECTED]
on Wednesday, June 30, 2004 10:03 AM said:
1. get data from DB
2. convert for valid HTML output (stripslashes(), htmlentities())
3. output as HTML (into the form
Red Wingate wrote:
use quot; to display the data in the input-text element and undo this
before inserting it into the database
function quoteToHtml ( $string ) {
return str_replace( '' , 'quot;' , $string );
}
function htmlToQuote ( $string ) {
return str_replace( 'quot;' , '' , $string );
}
What's wrong with addslashes() on the way in and stripslashes() on the
way out? Why would you want to convert it to it's HTML entity?
--
Joel Kitching
http://midgardmanga.keenspace.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Joel Kitching wrote:
What's wrong with addslashes() on the way in and stripslashes() on the
way out? Why would you want to convert it to it's HTML entity?
Please try to load the following HTML and tell me what's wrong with it:
input type=text name=whatever value=some \ value
And then load this:
Joel Kitching mailto:[EMAIL PROTECTED]
on Wednesday, June 30, 2004 10:34 AM said:
What's wrong with addslashes() on the way in and stripslashes() on the
way out? Why would you want to convert it to it's HTML entity?
1. addslashes() is not as robust as other solutions like
1. addslashes() is not as robust as other solutions like
mysql_escape_string().
What exactly is the difference between the two?
2. in either case the slashes will be non-existant when the data is
actually inserted into the database.
for example:
$mystring = hello here is my string. it
On Wed, 30 Jun 2004 11:00:19 -0700, Joel Kitching [EMAIL PROTECTED] wrote:
1. addslashes() is not as robust as other solutions like
mysql_escape_string().
What exactly is the difference between the two?
mysql_escape_string() and mysql_real_escape_string() do the escaping
as mysql needs
Justin Patrin mailto:[EMAIL PROTECTED]
on Wednesday, June 30, 2004 11:10 AM said:
mysql_escape_string() and mysql_real_escape_string() do the escaping
as mysql needs it. In addition, you can use PEAR::DB's quoteSmart to
quote and it will change depending on the DB backend you're using.
This one look and sound good. I'll give this a shot. Thanks a million
Scott F.
John W. Holmes [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Red Wingate wrote:
use quot; to display the data in the input-text element and undo this
before inserting it into the database
and now to the second part... why use htmlentities()? that is for
displaying data within a form element OR (i hope i have this right)
preventing XSS (Cross Site Scripting attacks).
Yep, for displaying the data in the HTML's textbox and to allow us to redo
the data before resubmitting it.
Scott F.
Joel Kitching wrote:
s... when you pull the data *out* of the database the \ will not
exist and you therefore do not need to perform stripslashes().
I tried using addslashes() on the string in the query, and then
SELECTing it, and the slashes are included. Does
mysql_escape_string() not do
--- Justin Patrin [EMAIL PROTECTED] wrote:
You also shouldn't need addslashes when putting it in. quoteSmart() in
PEAR::DB is a *much* better option.
That's great for those who use PEAR::DB, but it's not very safe to argue
against addslashes() based on what's in a specific PEAR module.
I would
Bummer, mysql_escape_string() is available only in PHP 5 and up. I'm using
PHP 4.3.1
Chris Shiflett [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
--- Justin Patrin [EMAIL PROTECTED] wrote:
You also shouldn't need addslashes when putting it in. quoteSmart() in
PEAR::DB is a
[...]
Bummer, mysql_escape_string() is available only in PHP 5 and up. I'm using
PHP 4.3.1
[...]
*mo* - wrong
[quote]
mysql_escape_string
(PHP 4 = 4.0.3, PHP 5)
[/quote]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Wed, 30 Jun 2004 15:41:42 -0400, Scott Fletcher [EMAIL PROTECTED] wrote:
Bummer, mysql_escape_string() is available only in PHP 5 and up. I'm using
PHP 4.3.1
I know that it's not. Where are you seeing that? According to the manual:
Scott Fletcher mailto:[EMAIL PROTECTED]
on Wednesday, June 30, 2004 12:42 PM said:
Bummer, mysql_escape_string() is available only in PHP 5 and up. I'm
using PHP 4.3.1
read the page again bro. :)
http://us4.php.net/mysql_escape_string
chris.
--
PHP General Mailing List
22 matches
Mail list logo