To escape or not to escape ... that's not really the question.

[bare_nature]

Hello,

 

Can you guys recommend me a good resource or tutorial for dealing with escaped values and preventing them from interfering with your code? What I mean is the following:

 

When I process form values and prep them for mySQL, I do the following:

- trim($value)

- htmlentities(stripslashes($value))

- str_ireplace("script", "blocked", $value)

- mysql_real_escape_string($value)

 

I end up with mySQL-safe input values (which is my primary concern). However, due to the escaped stuff and htmlentitized values, I have to do a bit of processing to have html-input render well in the browser.

 

My main problem are escaped quotes (single and double). Take this example:

 

<input name='form_field' value='<?php echo $object->value; ?>' />

 

Now, imagine the value of $object->value being "It\'s a good example." the problem is that the single quote will not be escaped, it seems.

 

In short, I'm confused and forgive me my newbie-ness. As I mentioned earlier, I think I need a solid foundation on how and when to use single and double quotes, how to properly escape them and make sure they are displayed correctly at all times.

 

All help is more than welcome.

 

Thanks,

 

Bart

[PravinS]

Use this function

 

 

<?php
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) 
{
	$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) 
{
	$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

?>