Page 1 of 1
Dealing with strings
Posted: Thu Jan 05, 2006 12:08 pm
by seodevhead
Hey guys.. I am pretty good with php/mysql.. and when user's submit strings to my scripts... I always ran them through mysql_real_ecape_string() ... However, I am writing a script now that does not use MySQL at all... just basic PHP stuff. I can't use the mysql functions cause I am not connected to a DB... what is the next best thing to use for this application of just PHP? THanks!
Posted: Thu Jan 05, 2006 12:18 pm
by John Cartwright
addslashes() for inserting in storage,
stripslashes() when displaying,
htmlentities() when displaying to prevent XSS attacks
Posted: Thu Jan 05, 2006 12:27 pm
by seodevhead
What if magic_quotes_gpc is ON?
Posted: Thu Jan 05, 2006 2:08 pm
by twigletmac
Then you shouldn't need
addslashes().
Mac
Posted: Thu Jan 05, 2006 3:21 pm
by Maugrim_The_Reaper
And lets remember to use
htmlentities('some string', ENT_QUOTES, 'UTF-8');
if at all possible...wouldn't want anyone causing mischief with creative character encodings...
If magic quotes are enabled you may want to stripslashes() on all incoming GET/POST/COOKIE variables. Where MySQL is not in use, use addslashes (on the stripslashed data), or a more DBMS specific function on the storage media (not always available). For anything else use the above for display via html.
Is there another context you had in mind if not a Database or HTML?