[thelist] Single and double quotes - forms and mysql

Bob Meetin bobm at dottedi.biz
Tue Sep 24 02:03:27 CDT 2013


I will take a look.

In the meantime I'm testing an 'obvious' solution. In my reading and testing I've been attempting to use mysql_real_escape_string in conjunction with addslashes because so many tutorials point to this. Dropping the addslashes when preparing the data for insert is working wonders, then adding stripslashes in reposting back to the form makes the form happy and I'm seeing the data as I want in the content table.

function escape_data ($data){
   $data = mysql_real_escape_string(trim($data));
   $data = str_replace("<?php", '&lt;?php',  $data);
   $data = str_replace("<?", '&lt;?',  $data);
   $data = str_replace("?>", '?&gt;',  $data);
   return $data;

$title = escape_data($_POST['title']); // insert into mysql

I'm testing the above on the posted data and it seems to be working. It should not be necessary but I added a couple simple replacements to convert <?php to simple text (maybe should be case-insensitive).

For reposting the data, something like:

function post_data ($data) {
   $data =  htmlspecialchars (stripslashes($data));
   return ($data);

$title = post_data($row['title']); // taken from mysql, used in the form


On 09/24/2013 10:16 AM, Renoir B. wrote:
> Sorry for double posting, I replied directly to Bob.
> I would recommend the use of PDO instead of direct mysql[i] access.
> Not only because it is an old way of working, but because a much better way
> of solving the problem. PDO is the way to go and has been implemented for a
> while now.
> Part of what makes it nice, is the capacity to regroup many inserts, update
> together. Statements via PDO also enforce string sanitization directly.
> Have a look at the examples [1] here.
> Hope I got caught your curiosity.
>    [1]:  http://php.net/manual/en/book.pdo.php
> Regards,
> Renoir Boulanger
> W3C | Developer Operations Engineer WebPlatform Docs
> http://w3.org/People/#renoirbhttps://renoirboulanger.com/  ✪  @renoirb
> ~

Bob Meetin
303-926-0167 (m)

More information about the thelist mailing list