All you want to escape for MySql is ' and \. In javascript you have to consider also double quote " and new line \n, which is equivalent to use semicolon ; In HTML you want also to be secure from XSS, so you want to use htmlspecialchars (as Rob said).
Anyway, I'm not sure I understood your problem, so I strongly recommend to deactivate GPC, which you can do from php.ini, or by stripslashing the input variables: http://php.net/manual/en/security.magicquotes.disabling.php Instead if your contents is already escaped and your problem is to un-escape, try to understand how is escaped, then str_replace or preg_replace will do the job! And yes, they are workaround :) On Wed, May 2, 2012 at 1:26 PM, Rob Marscher <rmarsc...@beaffinitive.com>wrote: > > On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote: > > Now, I'm wondering if the DB specific escape functions really give > > additional values respect to addslashes. > > Chris Shiflett's article from 2006 had the best argument I've seen on why > addslashes is not enough to secure your code. > > http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string > > Keep a copy of your unescaped data. Escape it for inserting into the > database. Then take the original unescaped data and do what else you need > with it. If you're ouputting to html, you need to run something like the > following on each variable you output: > > echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8'); > > > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show-participation >
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show-participation
