Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- PHP/Mysql/special characters problem
- Olaf Kliemt
October 26, 2004, 4:29 am
rate this thread
headline is a form input field type text.
before writing to the DB i use :
$headline = mysql_escape_string(stripslashes($headline));
displaying again in a form to modify the entry :
<input type="text" name="headline" value="<? echo
htmlentities($data["headline"]) ?>" size="50" maxlength="50">
for the display of textarea entries you do NOT need the htmlentities
Re: PHP/Mysql/special characters problem
This will only be correct if magic_quotes_gpc() is on and $headline
comes directly from a GET, POST, or cookie variable. Wrap GPC input with
checks for get_magic_quotes_gpc() and run them through stripslashes if
and only if that's true.
ALWAYS run strings through mysql_escape_string() before putting them
into SQL string literals to pass to MySQL, of course.
You most certainly do. Literal "&" needs to be converted (as it may be
followed by what could be character entity codes), and in particular if
the text includes a literal unescaped "</textarea>", any following text
will produce an arbitrary HTML inclusion -- creating a cross-site
I generally use htmlspecialchars() rather than htmlentities(), as it
doesn't disturb general text characters.
-- brion vibber (brion @ pobox.com)