Escaping Data and Replacing HTML for PHP/MySQL

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Isn't inserting good data and getting it out of a db a pain in the a$$?

I am going to be using the Markdown text to HTML parser
( ) for creating HTML
from user input (for a bespoke CMS) so that users can put in their own
headings, lists and links etc.

This is great and gets round all the issues of apostrophes etc. when
inserting informaiton into a database for me.

However for other fields such as Username, First Name, Address etc. I
still need to be able to cleanly add in slashes (as well as other HTML
elements such as $ and &).

Is there a good solid idiot proof solution to this, bearing in mind
that from server to server things like magic quotes will change.

My thoughts are to create a function like this below to use before
constructing SQL statements:

function prep_for_db( $value ) {
    if ( ini_get('magic_quotes_gpc') != true ){
        $value  = addslashes( $value  );

//some other XHTML related find and replace stuff for &, $, £ etc.

return $value


The second issue is that of replacing elements such as &, $ and £ (is
there a function out there for replacing these chars or do I need to
build my own?).  If I replace these with things like & they will
start taking up my characters in my db fields.  Would it be prudent to
just parse text on the way out of the db or is this gonna slow down
general browsing?

Any help and advice from more experienced PHPers would be greatly



Re: Escaping Data and Replacing HTML for PHP/MySQL

thehuby wrote:
Quoted text here. Click to load it

You may want to start here:

Re: Escaping Data and Replacing HTML for PHP/MySQL

Thanks for that..they don't appear to escape all the characters I want,
I think I may need to build my own search and replace funciton to deal
with the ones I need (dollar for example is not covered in either
function) for XHTML and Accessibility compliance.


Site Timeline