kev wood Posted May 5, 2009 Share Posted May 5, 2009 i am storing data into a mysql db but this data can have special html characters inside the text which is then being turned into symbols when they are pulled back out of the db to be viewed again. i know to fix this problem you can use addslashes() and stripslashers() but i am a little unsure of how to use the first part of this. the reason i am unsure is that i have a few different pieces of information being entered into the db which are posted to the page. i have read that $_POST and $_GET data already have the addslashes() function applied to them. so if i wanted to to perform the addslashes() when it ws going into the db would i do it as it is posted like the following addslashes($option1) = $_POST['radio']; or do it after the data has been posted but before the data is entered into the db addslashes($option1); or do it as it is entered into the db VALUES ('addslashes($a)', or can more than one of these options be used. Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/ Share on other sites More sharing options...
Mchl Posted May 5, 2009 Share Posted May 5, 2009 i have read that $_POST and $_GET data already have the addslashes() function applied to them. This is no longer valid. This behaviour depends on setting called magic_quotes. It is disabled by default in current versions of PHP. You should not use it if you can. See here for more information http://www.php.net/magic_quotes Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/#findComment-826566 Share on other sites More sharing options...
kev wood Posted May 5, 2009 Author Share Posted May 5, 2009 would this line of code do i want then $option1 = mysql_real_escape_string ($_POST['radio']); also if mysql_real_escape_string() is used do you not have to anything to the data once you are extracting it back out of the db or is this function only use when extracting the information from the db. Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/#findComment-826597 Share on other sites More sharing options...
Mchl Posted May 5, 2009 Share Posted May 5, 2009 Yes. That would work fine. And no, you don't have to do anything when retrieving data from database. Remember to use mysql_real_escape string, on every variable that comes from user and goes into query. Even when selecting data For example: <?php $varEscaped = mysql_real_escape_string($_POST['var']); $sql = "SELECT * FROM table WHERE var = $escapedVar"; Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/#findComment-826616 Share on other sites More sharing options...
kev wood Posted May 5, 2009 Author Share Posted May 5, 2009 why is it that the db connection details have to go before the mysql real escape string statement? Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/#findComment-826631 Share on other sites More sharing options...
Mchl Posted May 5, 2009 Share Posted May 5, 2009 Because mysql_real_escape_string takes consideration of connection encoding. Quote Link to comment https://forums.phpfreaks.com/topic/156915-special-characters/#findComment-826632 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.