[thelist] Single and double quotes - forms and mysql
Bob Meetin
bobm at dottedi.biz
Tue Sep 24 02:03:27 CDT 2013
Renoir,
I will take a look.
In the meantime I'm testing an 'obvious' solution. In my reading and testing I've been attempting to use mysql_real_escape_string in conjunction with addslashes because so many tutorials point to this. Dropping the addslashes when preparing the data for insert is working wonders, then adding stripslashes in reposting back to the form makes the form happy and I'm seeing the data as I want in the content table.
function escape_data ($data){
$data = mysql_real_escape_string(trim($data));
$data = str_replace("<?php", '<?php', $data);
$data = str_replace("<?", '<?', $data);
$data = str_replace("?>", '?>', $data);
return $data;
}
$title = escape_data($_POST['title']); // insert into mysql
I'm testing the above on the posted data and it seems to be working. It should not be necessary but I added a couple simple replacements to convert <?php to simple text (maybe should be case-insensitive).
For reposting the data, something like:
function post_data ($data) {
$data = htmlspecialchars (stripslashes($data));
return ($data);
}
$title = post_data($row['title']); // taken from mysql, used in the form
Bob
On 09/24/2013 10:16 AM, Renoir B. wrote:
> Sorry for double posting, I replied directly to Bob.
>
> I would recommend the use of PDO instead of direct mysql[i] access.
>
> Not only because it is an old way of working, but because a much better way
> of solving the problem. PDO is the way to go and has been implemented for a
> while now.
>
> Part of what makes it nice, is the capacity to regroup many inserts, update
> together. Statements via PDO also enforce string sanitization directly.
>
> Have a look at the examples [1] here.
>
> Hope I got caught your curiosity.
>
> [1]: http://php.net/manual/en/book.pdo.php
>
> Regards,
>
> Renoir Boulanger
> W3C | Developer Operations Engineer WebPlatform Docs
>
> http://w3.org/People/#renoirb ✪ https://renoirboulanger.com/ ✪ @renoirb
> ~
--
Bob Meetin
www.dottedi.biz
303-926-0167 (m)
More information about the thelist
mailing list