Moderator: General Moderators
I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)
For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.
Code: Select all
$intPK = (isset($_GET['pk']) ? (int)$_GET['pk'] : 0;
For using data as part of a querystring in a link, use urlencode
Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']