Jump to content

[SOLVED] How Would You Safely Allow a User to Enter a Single Quote in a Table Column?

limitphp

By limitphp
in PHP Coding Help

 Share

Recommended Posts

limitphp Advanced Member

limitphp

Posted
Posted

If I wanted to let users include single quotes as part of their playlist names, how would I safely allow them to do that?

ex) $playlist = "60's Rock"

 

Because, right now, I mysql_real_escape_string() values.

 

I assume you should always mysql_real_escape_string() any user input, so how would I allow them to safely enter a single quote as part of their playlist name?

Link to comment
Share on other sites
limitphp Advanced Member

limitphp

Posted
  • Author
Posted

You answered your own question. That is the best way to do it, if this is going to actually be a filename, I would not allow it. If it is only stored in a database, it is fine with ' etc. Just escape the data with the mysql function.

 

No, playlists will not be filenames.  They are just going to be in stored in the database.

 

So, when you mysql_real_escape_string() a value, it converts all single quotes into \'

Does the \' get stored in the database like that?  With the backslash?

 

I'm confused, when you use the escape string(), what gets stored in the database?  a single quote or a backslash and single quote?

 

Link to comment
Share on other sites
Prismatic Member

Prismatic

Posted
Posted

You answered your own question. That is the best way to do it, if this is going to actually be a filename, I would not allow it. If it is only stored in a database, it is fine with ' etc. Just escape the data with the mysql function.

 

No, playlists will not be filenames.  They are just going to be in stored in the database.

 

So, when you mysql_real_escape_string() a value, it converts all single quotes into \'

Does the \, get stored in the database like that?  With the backslash?

 

 

Yes.

 

When you recall the data from the database run stripslashes() on it to remove them.

Link to comment
Share on other sites
premiso Regular Member

premiso

Posted
Posted

So, when you mysql_real_escape_string() a value, it converts all single quotes into \'

Does the \, get stored in the database like that?  With the backslash?

 

 

Haven't we gone over this like 3 or 4 times before? No, it just escapes it so it will not show up like \' in the DB. As long as magic quotes are turned off and you are not double escaping it.

 

EDIT:

Saw the stripslashes post. No, you should never use stripslashes on data coming out of a database. If you have to, it means you did not insert it properly/double escaped it. Read up on Magic Quotes as that is usually the cause of double escaping. I suggest it to be turned off.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.