1) Why they use htmlspecialchars and not mysql_real_escape_string?
2) Is this code worthy?
$search = array('$', '"', "'", '\\', '<?');
$replace = array('$','"',''', '\', '<?');
$ret = str_replace($search, $replace, $data);
3) And this one?
$data = htmlspecialchars($data, ENT_QUOTES, CHARSET);
$data = str_replace('\\', '\', $data);
$ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data);
I ask because I use mysql_real_escape_string, and I have been adviced to do so, by several people I think they know what they're talking about. So please.. could you comment on this? Does this code have any advantage over mysql_real_escape_string?
Code: Select all
function toDB($data, $nostrip = false, $no_encode = false, $mod = false)
{
global $pref;
if (is_array($data)) {
// recursively run toDB (for arrays)
foreach ($data as $key => $var) {
$ret[$key] = $this -> toDB($var, $nostrip, $no_encode);
}
} else {
if (MAGIC_QUOTES_GPC == TRUE && $nostrip == false) {
$data = stripslashes($data);
}
if(isset($pref['post_html']) && check_class($pref['post_html']))
{
$no_encode = TRUE;
}
if (getperms("0") || $no_encode === TRUE)
{
$search = array('$', '"', "'", '\\', '<?');
$replace = array('$','"',''', '\', '<?');
$ret = str_replace($search, $replace, $data);
} else {
$data = htmlspecialchars($data, ENT_QUOTES, CHARSET);
$data = str_replace('\\', '\', $data);
$ret = preg_replace("/&#(\d*?);/", "&#\\1;", $data);
}
}