Dealing with strings
Moderator: General Moderators
- seodevhead
- Forum Regular
- Posts: 705
- Joined: Sat Oct 08, 2005 8:18 pm
- Location: Windermere, FL
Dealing with strings
Hey guys.. I am pretty good with php/mysql.. and when user's submit strings to my scripts... I always ran them through mysql_real_ecape_string() ... However, I am writing a script now that does not use MySQL at all... just basic PHP stuff. I can't use the mysql functions cause I am not connected to a DB... what is the next best thing to use for this application of just PHP? THanks!
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
addslashes() for inserting in storage, stripslashes() when displaying, htmlentities() when displaying to prevent XSS attacks
- seodevhead
- Forum Regular
- Posts: 705
- Joined: Sat Oct 08, 2005 8:18 pm
- Location: Windermere, FL
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
And lets remember to use
htmlentities('some string', ENT_QUOTES, 'UTF-8');
if at all possible...wouldn't want anyone causing mischief with creative character encodings...
If magic quotes are enabled you may want to stripslashes() on all incoming GET/POST/COOKIE variables. Where MySQL is not in use, use addslashes (on the stripslashed data), or a more DBMS specific function on the storage media (not always available). For anything else use the above for display via html.
Is there another context you had in mind if not a Database or HTML?
htmlentities('some string', ENT_QUOTES, 'UTF-8');
if at all possible...wouldn't want anyone causing mischief with creative character encodings...
If magic quotes are enabled you may want to stripslashes() on all incoming GET/POST/COOKIE variables. Where MySQL is not in use, use addslashes (on the stripslashed data), or a more DBMS specific function on the storage media (not always available). For anything else use the above for display via html.
Is there another context you had in mind if not a Database or HTML?