On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote: > Now, I'm wondering if the DB specific escape functions really give > additional values respect to addslashes.
Chris Shiflett's article from 2006 had the best argument I've seen on why addslashes is not enough to secure your code. http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Keep a copy of your unescaped data. Escape it for inserting into the database. Then take the original unescaped data and do what else you need with it. If you're ouputting to html, you need to run something like the following on each variable you output: echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8'); _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
