Displaying text after using mysql_real_escape_string
Posted: Tue Aug 04, 2009 1:38 pm
Hello!
I've been working on an addition to my gaming site that allows members to register a "character's" name to be displayed in a profile page.
I am using mysql_real_escape_string($charname) to add slashes before inserting the name into the database. The problems comes when we display the name. A lot of the names have an ' in them; they are odd fictional names like J'Rikka for example. It obviously displays J/'Rikka.
I had thought of using stripslashes($charname) before displaying it, but that obviously brings the problem back. I tested inserting a script in the name, and sure enough it executed when displayed. I have since added strip_tags($charname) before saving it which fixes that; but I still have the slashes in there.
So if I use both mysql_real_escape_string($charname) and strip_tags($charname) before inserting into the database, am I safe using stripslashes($charname) to display the name?
Thanks!
--Fligg
I've been working on an addition to my gaming site that allows members to register a "character's" name to be displayed in a profile page.
I am using mysql_real_escape_string($charname) to add slashes before inserting the name into the database. The problems comes when we display the name. A lot of the names have an ' in them; they are odd fictional names like J'Rikka for example. It obviously displays J/'Rikka.
I had thought of using stripslashes($charname) before displaying it, but that obviously brings the problem back. I tested inserting a script in the name, and sure enough it executed when displayed. I have since added strip_tags($charname) before saving it which fixes that; but I still have the slashes in there.
So if I use both mysql_real_escape_string($charname) and strip_tags($charname) before inserting into the database, am I safe using stripslashes($charname) to display the name?
Thanks!
--Fligg