Jump to content

How To Handle Apostrophes


refiking

Recommended Posts

$text = "Steve's text";

$string = addslashes($text);

mysql_query("INSERT INTO table (`text`) VALUES ('".string."')");

 

Then to retrieve

 

$query = mysql_query("SELECT text FROM table WHERE .....");

$text = mysql_fetch_array($query);

 

$text = stripslashes($text[0]);

 

echo $text;

 

Something like that :)

Infact instead of using addslashes before it goes into the database, I'd increase the security and use

 

function clean($data) {

if (!get_magic_quotes_gpc()) {

$data = addslashes($data);

}

 

$data = strip_tags($data);

$data = htmlspecialchars($data, ENT_QUOTES);

$data = trim($data);

 

return $data;

 

}

 

It's a bit more safe

OK.  So, I add this function and call my variables.  Then, how would I use this function with those variables.  For example:
[code]
while($row = mysql_fetch_assoc($sql)){
$var1 = $row['field1'];
$var2 = $row['field2'];
$var3 = $row['field3'];
}
//Would I then add this? //
$var1 = clean($var1);
$var2 = clean($var2);
$var3 = clean($var3);

[/code]

 

Actually, you should used the mysql_real_escape_string() function, not addslashes(), since it handles all potential problem characters, not just the single quote.

 

Also, stripslashes() and htmlentities() should be used when you display stored values, not when you store them,

 

Ken

You should use stripslashes() before htmlentities():

<?php
while($row = mysql_fetch_assoc($sql)){
     $var1 = htmlentities(stripslashes($row['field1']),ENT_QUOTES);
     $var2 = htmlentities(stripslashes($row['field2']),ENT_QUOTES);
//
// do something with var1 & var2
//
}?>

 

Ken

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.