PHP/Mysql/special characters problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
problem was single and double quotes.
headline is a form input field type text.

before writing to the DB i use :
$headline = mysql_escape_string(stripslashes($headline));

displaying again in a form to modify the entry :
<input type="text" name="headline" value="<? echo
htmlentities($data["headline"]) ?>" size="50" maxlength="50">

for the display of textarea entries you do NOT need the htmlentities

Re: PHP/Mysql/special characters problem

 .oO(Olaf Kliemt)

Quoted text here. Click to load it

What if magic quotes are disabled? Before using stripslashes(),
addslashes() etc. you have to check for that.

Quoted text here. Click to load it

Even in a textarea some chars have to be converted to entities.


Re: PHP/Mysql/special characters problem

Olaf Kliemt wrote:
Quoted text here. Click to load it

This will only be correct if magic_quotes_gpc() is on and $headline
comes directly from a GET, POST, or cookie variable. Wrap GPC input with
checks for get_magic_quotes_gpc() and run them through stripslashes if
and only if that's true.

ALWAYS run strings through mysql_escape_string() before putting them
into SQL string literals to pass to MySQL, of course.

Quoted text here. Click to load it

You most certainly do. Literal "&" needs to be converted (as it may be
followed by what could be character entity codes), and in particular if
the text includes a literal unescaped "</textarea>", any following text
will produce an arbitrary HTML inclusion -- creating a cross-site
scripting vulnerability.

I generally use htmlspecialchars() rather than htmlentities(), as it
doesn't disturb general text characters.

-- brion vibber (brion @

Site Timeline