Dealing with strings

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Dealing with strings

Post by seodevhead »

Hey guys.. I am pretty good with php/mysql.. and when user's submit strings to my scripts... I always ran them through mysql_real_ecape_string() ... However, I am writing a script now that does not use MySQL at all... just basic PHP stuff. I can't use the mysql functions cause I am not connected to a DB... what is the next best thing to use for this application of just PHP? THanks!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

addslashes() for inserting in storage, stripslashes() when displaying, htmlentities() when displaying to prevent XSS attacks
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

What if magic_quotes_gpc is ON?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Then you shouldn't need addslashes().

Mac
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

And lets remember to use

htmlentities('some string', ENT_QUOTES, 'UTF-8');

if at all possible...wouldn't want anyone causing mischief with creative character encodings...

If magic quotes are enabled you may want to stripslashes() on all incoming GET/POST/COOKIE variables. Where MySQL is not in use, use addslashes (on the stripslashed data), or a more DBMS specific function on the storage media (not always available). For anything else use the above for display via html.

Is there another context you had in mind if not a Database or HTML?
Post Reply