Page 1 of 1

Securing from textarea input

Posted: Tue Jul 20, 2010 7:39 pm
by Skiddles2010
I could use some help wrapping my head around this. I'd like to know what's a good way to go about securing multi-paragraph textarea inputs? The user will be inputting some kind of "How-To" guide of their own, so I need to allow things like periods, semicolons, apostrophe's, question marks, new lines etc. Using mysql_real_escape_strings, if a user enters something like, "Vinny's Recipe", it ends up displaying as "Vinny\\\'s Recipe". How do I avoid this? The form takes a number of different inputs from textareas, textfields, drop lists, and an image upload field. In it's present stage, the only "security" I have on those POST variables is that each one is filtered through mysql_real_escape_strings prior to being utilized. Any advice on how to secure this?

Re: Securing from textarea input

Posted: Tue Jul 20, 2010 7:44 pm
by superdezign
The extra slashes comes from adding slashes to slashes. This can occur if you escape the data twice. Either you are running an escape function (i.e. mysql_real_escape_string) twice on the same data, or if you have Magic Quotes enabled, which is the usual culprit. This can be disabled in the php.ini file, the .htaccess file, or by using stripslashes on the input data.