On 9/29/06, Ivo F.A.C. Fokkema <[EMAIL PROTECTED]> wrote:
On Thu, 28 Sep 2006 11:33:06 -0400, Eric Butera wrote:
He's not actually *putting* it in a database, so isn't it useless to use a
mysql_ function for this...? Maybe I misunderstand Tedd and he does use a
database, as I don't see why he would need mysql_real_escape_string() for
cleaning input...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ivo,
If that is the case then I am sorry for posting an irrelevant comment.
I just figured somebody using mysql escaping was putting it in the
DB.
Tedd,
Not to make a big deal out of this but are you aware of the
differences on filtering input and escaping output?
mysql_real_escape_string is for escaping something for the database.
It doesn't filter or clean anything. Just like htmlentities escapes
for html output.
Use regexes for cleaning user input. A good example of this would be
Zend_Filter on the Zend framework. They made methods such as getAlpha
for only returning alphabetical characters. This way you clean your
data to make it exactly what you want versus escaping it to make sure
where you are putting it accepts it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
