bare_nature Posted March 10, 2010 Share Posted March 10, 2010 Hello, Can you guys recommend me a good resource or tutorial for dealing with escaped values and preventing them from interfering with your code? What I mean is the following: When I process form values and prep them for mySQL, I do the following: - trim($value) - htmlentities(stripslashes($value)) - str_ireplace("script", "blocked", $value) - mysql_real_escape_string($value) I end up with mySQL-safe input values (which is my primary concern). However, due to the escaped stuff and htmlentitized values, I have to do a bit of processing to have html-input render well in the browser. My main problem are escaped quotes (single and double). Take this example: <input name='form_field' value='<?php echo $object->value; ?>' /> Now, imagine the value of $object->value being "It\'s a good example." the problem is that the single quote will not be escaped, it seems. In short, I'm confused and forgive me my newbie-ness. As I mentioned earlier, I think I need a solid foundation on how and when to use single and double quotes, how to properly escape them and make sure they are displayed correctly at all times. All help is more than welcome. Thanks, Bart Quote Link to comment Share on other sites More sharing options...
PravinS Posted March 10, 2010 Share Posted March 10, 2010 Use this function <?php function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.