MySQL And Inserting HTML Code
Posted: Fri Nov 17, 2006 6:34 pm
I have a PHP script that allows me to edit contents of a page and store the contents in a database. Usually there is HTML involved and being stored in the database.
Now my question is this - Do I need to worry about the quotes in HTML interfering with SQL quotes when inserting/etc? Or will it be alright because of the single quotes for SQL and double quotes for HTML values? I started studying PHP recently so am still trying to figure a few things out. I have a PHP script that takes data from a form (where the HTML code would be), and the form POSTS data to a script. I assign all the $_POST to local variables and then insert into database using those variables.
Right now it does not do anything to deal with quotes. I know there is something about magic_quotes, but am unsure what my current settings are. Should I stripslashes() and then use mysql_real_escape_string(), or do something else, or am I ok as it is?
It doesn't have any problems that I know of so far, but I want to make it as good as possible.
PS: Along the same lines - when I use the SQL tab in phpMyAdmin and INSERT data, do I need to escape the quotes in the HTML code or not? It takes forever to escape them all that way...
Now my question is this - Do I need to worry about the quotes in HTML interfering with SQL quotes when inserting/etc? Or will it be alright because of the single quotes for SQL and double quotes for HTML values? I started studying PHP recently so am still trying to figure a few things out. I have a PHP script that takes data from a form (where the HTML code would be), and the form POSTS data to a script. I assign all the $_POST to local variables and then insert into database using those variables.
Right now it does not do anything to deal with quotes. I know there is something about magic_quotes, but am unsure what my current settings are. Should I stripslashes() and then use mysql_real_escape_string(), or do something else, or am I ok as it is?
It doesn't have any problems that I know of so far, but I want to make it as good as possible.
PS: Along the same lines - when I use the SQL tab in phpMyAdmin and INSERT data, do I need to escape the quotes in the HTML code or not? It takes forever to escape them all that way...