[SOLVED] Probably a stupid question on escape characters in PHP...(searched but nothing)

[SapAuthor]

I couldn't find anything using the search (too many off hits).  I am building a couple of web applications, and throughout all this the one thing that has confused the heck out of me is figuring out how to secure my code.  There's stripslashes(), mysql_real_escape_string(), htmlentities(), etc, and i'm really really confused, and was hoping someone could clear some things up for me.

 

First Question: escape characters (like ', ", etc) can mess up MySQL Queries, and other characters like (', ", <, >, &) can mess up HTML code.  But do escape characters mess up PHP code at all?  Or is PHP not effected at all by strings or variables with any characters in them?

 

Second: I've noted that MAMP(or WAMP/ LAMP) adds a slash automatically from POST variable data, can this be assumed to be on for all servers now a day (i think it was called magicslash or something, i read about it on php.net)?

 

Third: What is the best method of data input onto MySQL and then output in HTML?  Is it mysql_real_escape_string into the database, then str_replace("\n", "<br>", stripslashes( htmlentites( $thevariable) ) ); to output proper HTML that won't mess up the html around it?  Or do you do strip slashes first and then htmlentities?  -.-

 

Thanks for any help given, I'm don't cover my PHP classes in college till next summer, and i've got a lot of programming to do before then lol.  I appreciate it.

[DarkWater]

1) Escape characters don't really mess up PHP unless you directly type in a string.

 

$var = "<a href="lol">"; //this won't work, needs escaping

 

2) It's magic_quotes_gpc and it cannot be assumed to be on for all servers, and it is COMPLETELY REMOVED in PHP6.  Do not rely on it and do proper input sanitation.

 

3) mysql_real_escape_string() for putting it in the database.  You don't need to stripslashes() on the stuff coming OUT of the database.  Check out the nl2br() function for "proper" html rather than using str_replace.

[SapAuthor]

1) Escape characters don't really mess up PHP unless you directly type in a string.

 

$var = "<a href="lol">"; //this won't work, needs escaping

 

2) It's magic_quotes_gpc and it cannot be assumed to be on for all servers, and it is COMPLETELY REMOVED in PHP6.  Do not rely on it and do proper input sanitation.

 

3) mysql_real_escape_string() for putting it in the database.  You don't need to stripslashes() on the stuff coming OUT of the database.  Check out the nl2br() function for "proper" html rather than using str_replace.

 

1: Awesome, i've been doing a lot of extra crap that i didn't need to lol.

 

2: That's also awesome to know.  Question though, if they do have magic_quotes_gpc on, and i do mysql_real_escape_string, won't it turn /' to ///', and thus i need to do 2 stripslashes?  Should i write code based on the possibility it is on and do double stripslashes?

 

3: lol, that makes things easier, now doesn't it?  Thank you.

 

I love you lol.  If someone can answer the last bit on 2, i'll be all set.  Maybe also tell me how the heck to set these threads as answered, i couldn't find it last time >.>

[DarkWater]

You can work with something like:

 

if (get_magic_quotes_gpc()) {

    array_walk($_POST, 'stripslashes');

}

$name = $_POST['name'];

//etc

 

=P  There are of course other ways to do it.  Btw you mark a topic as Solved with the bottom...left corner I think.

[SapAuthor]

Awesome, thank you all for your help, i see the Topic as solved last place i would have looked.

[SapAuthor]

Sorry to double post, but if anyone needs the same thing.  The function to remove the magic quotes didn't work, this does though:

if (isset($_POST['message']))
{$mysql_connect = mysql_connect("localhost", "sonica5", "hrd26250");

if(get_magic_quotes_gpc()) {
function __stripslashes (&$s) { $s = stripslashes($s); }

array_walk($_POST, '__stripslashes');
array_walk($_GET, '__stripslashes');
}

[DarkWater]

Oh yeah, forgot it needed it passed by reference.  Good call. =)