[PHP] Confused about which function to use with forms/database
Hi, I have forms that retrieve date from mysql databases and send (for storage) data to same databases. I note many functions to make sure that the data is correct in appearance when it comes to special characters. addslashes() stripslashes() htmlspecialchars() htmlentities() get_html_translation_table(HTML_ENTITIES) I've read the documentation but am still confused about what to use when. When passing data from forms to database, which do I use? When retrieving data from database to display in forms, which do I use? Thanks, Don
Re: [PHP] Confused about which function to use with forms/database
Don: I have forms that retrieve date from mysql databases and send (for storage) data to same databases. I note many functions to make sure that the data is correct in appearance when it comes to special characters. addslashes() stripslashes() htmlspecialchars() htmlentities() get_html_translation_table(HTML_ENTITIES) When passing data from forms to database, which do I use? When retrieving data from database to display in forms, which do I use? A question similar to this was just asked by Dennis (Subject: Re: [PHP] forms into database and visa versa) I'll copy the answer I gave there into here... It's a good idea to validate all data you're sticking in before you do. For example, if you have a numeric field, you don't want the person to be able to submit letters in that field. So, always check that the data is formatted the way you want it to be before sending it to the database. I usually use preg_replace() to remove undesireable characters. If you want text to go into a field and want people to be able to have quotes and other such items in there, then use addslashes(). But, it sounds like you're concerned about characters in the database coming out properly in the HTML you generate. So, if someone stored in the database, you want it to show up as lt; in your HTML. That's what htmlspecialchars() is for. Run your text coming OUT of the database through that. Now, if you're then going to have users edit that data in a form and resubmit it to the database, you need to convert the HTML entities back to standard ascii characters. Here's a simple way to do that: $replace['amp;'] = ''; $replace['lt;'] = ''; $replace['gt;'] = ''; $replace['quot;'] = ''; $UserInput = strtr($UserInput, $replace); --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Confused about which function to use with forms/database
On Fri, 17 May 2002, Don wrote: I have forms that retrieve date from mysql databases and send (for storage) data to same databases. I note many functions to make sure that the data is correct in appearance when it comes to special characters. addslashes() stripslashes() htmlspecialchars() htmlentities() get_html_translation_table(HTML_ENTITIES) I've read the documentation but am still confused about what to use when. When passing data from forms to database, which do I use? When retrieving data from database to display in forms, which do I use? The basic goal is that you don't want anything being sent to your database's command interpreter that would result in data being taken for commands. So that means that when you're sending textual data, it should be surrounded by quotes and any quotes inside there should be escaped properly. There are different ways to make sure this gets done, and to some degree it's a matter of preference. Personally, I turn magic_quotes_runtime OFF because it really creates a lot more work than it saves. Then I use intval() on every integer, floatval() on every floating-point number, and addslashes() on every string. Then I build the SQL statement. htmlentities has nothing to do with database operations, but is used when sending text to browsers that might contain characters like , , and . It escapes those characters so that they'll be shown as intended rather than interpreted for their special HTML meanings. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Confused about which function to use with forms/database
I've read the documentation but am still confused about what to use when. When passing data from forms to database, which do I use? When retrieving data from database to display in forms, which do I use? Kinda depends on what you're using the data for really. If you don't care about preserving formatting or any sort or keeping any html tags that are included then strip the lot out before you drop it into your database. If you want to keep it all then you'll need to be more selective. As a general rule, though, you'll need to 'escape' anything that your database won't like - this is typically the ' and chars. Addslashes() will do that for you. Anything else you want to do depends on what you need the data for. When you suck the data back out you'll obviously need to stripslashes() to get rid of the 'escape' chars you added above. Then you'll also need to do any other processing required - for example, converting \n to br if you're just displaying data on a page (nl2br()). If you're actually sucking that data back out to go into a textarea in a form or something then you won't do that. Unless you're particularly careful it's probably worth stripping out all html tags anyway as they offer the potential to have someone include scripting. When displaying to a html page you probably also want to convert special chars to html entities using htmlspecialchars(). I may have missed some stuff here, didn't bother looking at a manual while writing this but I hope you'll get the idea. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Confused about which function to use with forms/database
On Sat, 18 May 2002, David Freeman wrote: As a general rule, though, you'll need to 'escape' anything that your database won't like - this is typically the ' and chars. Addslashes() will do that for you. Anything else you want to do depends on what you need the data for. When you suck the data back out you'll obviously need to stripslashes() to get rid of the 'escape' chars you added above. Nope, because the escape characters don't actually get added to the database. If you have a string: Chief O'Brien and you want to pass it into a database whose command interpreter uses single quotes (') as string delimeters, then you need to tell it that the ' after O is not the end of the string. So you use addslashes() to preface it with a backslash (\). This results in the following string: Chief O\'Brien When the database's command interpreter sees it, it removes the escape character (\) before inserting the string into the database. So it's back to its original form then. When you retrieve it, you'll just get: Chief O'Brien miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Confused about which function to use with forms/database
When you suck the data back out you'll obviously need to stripslashes() to get rid of the 'escape' chars you added above. Nope, because the escape characters don't actually get added to the database. When the database's command interpreter sees it, it removes the escape character (\) before inserting the string into the database. So it's back to its original form then. When you retrieve it, you'll just get: Ah, fair enough. Obviously, I've never actually tested that particular behaviour. I'll keep this in mind for future reference though. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php