Page 2 of 2

Posted: Sat Aug 06, 2005 7:12 pm
by feyd
I'd actually perform a stripslashes() if magic quotes are on, and perform a mysql_real_escape_string() on the data being passed into the query only.

Posted: Sun Aug 07, 2005 5:07 pm
by influx
Question:

On the site I allow people to make posts, and when they are editing their posts in their member pages, I use a WYSIWYG editor ("RTE: Rich text editor").

With the webapp came the following function for inputting the formatted text into a database safely:

Code: Select all

function RTESafe($strText)
{
	//returns safe code for preloading in the RTE
	$tmpString = trim($strText);
		
	//convert all types of single quotes
	$tmpString = str_replace(chr(145), chr(39), $tmpString);
	$tmpString = str_replace(chr(146), chr(39), $tmpString);
	$tmpString = str_replace("'", "'", $tmpString);
		
	//convert all types of double quotes
	$tmpString = str_replace(chr(147), chr(34), $tmpString);
	$tmpString = str_replace(chr(148), chr(34), $tmpString);
	//$tmpString = str_replace("\"", "\"", $tmpString);
		
	//replace carriage returns & line feeds
	$tmpString = str_replace(chr(10), " ", $tmpString);
	$tmpString = str_replace(chr(13), " ", $tmpString);
		
	return $tmpString;
}
Should I keep this function? Does it do the same thing as mysql_real_escape_string()?