Filtering Special Characters

[moagrius]

Hi,

 

I've got a form with several inputs and textareas.  Entries are saved to a SQL table, then later echo out a JSON object.

 

My question is 2 part:

1.  Since the user input will have to be passed to a SQL query, how should I pass the post variables to that string?  Poking around has led me to addslashes and sprintf, but experimentation hasn't produced predictable results.

2.  When echoing those entries, what formatting functions should be used to avoid conflicts with special characters (quotes and line breaks in particular, but I'd be interested if there were prefab functions available that I'm guessing exist but I'm not aware of...)?

 

E.G. on the former:

$querystring = array("");
foreach($_POST as $key=>$val) array_push($querystring,$val);
$querystring = implode("\",\"",$querystring);
$querystring = "INSERT INTO Topic VALUES (\"" . $querystring . "\")";
$result = mysql_query($querystring);
// What formatting functions should be applied to $val?

 

E.G. on the latter:

$result = mysql_query("select * from Topic");
$json = array();
while($row = mysql_fetch_assoc($result)){
$obj = array();
foreach($row as $key=>$val) array_push($obj,"\"" . $key . "\":\"" . $val . "\"");
$str = "{" . implode(",",$obj) . "}";
array_push($json,$str);
};
$json = implode(",",$json);
echo "var DB = [" . $json . "];\r\n\r\n";
// what formatting functions would be best applied to $key and $val?

 

Thanks in advance

[DarkWater]

1. mysql_real_escape_string();

 

2. htmlspecialchars() followed by nl2br().  The order is important.

[moagrius]

thanks for the quick reply - but after a quick lookup of nl2br it apparently swaps line breaks for "<br>" entities - i'm echoing javascript variables, not html - should i replace that step with a preg_replace?

 

thanks again