> I've read the documentation but am still confused about what > to use when. > > When passing data from forms to database, which do I use? > When retrieving data from database to display in forms, > which do I use?
Kinda depends on what you're using the data for really. If you don't care about preserving formatting or any sort or keeping any html tags that are included then strip the lot out before you drop it into your database. If you want to keep it all then you'll need to be more selective. As a general rule, though, you'll need to 'escape' anything that your database won't like - this is typically the ' and " chars. Addslashes() will do that for you. Anything else you want to do depends on what you need the data for. When you suck the data back out you'll obviously need to stripslashes() to get rid of the 'escape' chars you added above. Then you'll also need to do any other processing required - for example, converting \n to <br> if you're just displaying data on a page (nl2br()). If you're actually sucking that data back out to go into a textarea in a form or something then you won't do that. Unless you're particularly careful it's probably worth stripping out all html tags anyway as they offer the potential to have someone include scripting. When displaying to a html page you probably also want to convert special chars to html entities using htmlspecialchars(). I may have missed some stuff here, didn't bother looking at a manual while writing this but I hope you'll get the idea. CYA, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
