Bastien Koert wrote:
> use mysql_real_escape_string
>
> bastien
>> Date: Fri, 14 Dec 2007 08:40:47 -0600> From: [EMAIL PROTECTED]> To:
>> [email protected]> Subject: [PHP] how to handle inserting special
>> characters into a mysql field> > I'm going to be inserting data from a PHP
>> form into a mysql field. The > data could contain special characters like <
>> > ' " \ /, etc. How do I > handle that? just $data =
>> addslashes(htmlspecialchars($data)); before > the insert query? because
>> later on the data will be read back from the > mysql db and I don't want it
>> to contain a special character that would > break the PHP script.> > -- >
>> PHP General Mailing List (http://www.php.net/)> To unsubscribe, visit:
>> http://www.php.net/unsub.php>
> _________________________________________________________________
> Introducing the City @ Live! Take a tour!
> http://getyourliveid.ca/?icid=LIVEIDENCA006
I think both of yo missed the OPs point.
He wants it to be safe when he prints out the content into and HTML page.
Hence, he wants < > to be
safe. Granted, what you suggest is correct for CYA'ing when you insert into
the DB.
But, what I think the OP really wants is the killing HTML characters.
OP
I would do two things.
1. when inserting your data into your SQL string, escape it using
mysql_real_escape_string
or escape_string() if you are using the mysqli extension
2. when you pull your data out of the DB to be displayed on screen,
pass it through htmlspecialchars() or htmlentities()
htmlspecialchars() uses a subset of htmlentities(), your choice
which one to use.
I would not use the addslashes() anywhere. The first step above, eliminates
the need to use
addshlashes()
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
