spacepoet Posted November 30, 2012 Share Posted November 30, 2012 Hello: I have been replacing all " (quotes) with this: " I was under the impression I should do this when inserting data into a database. This works, but when I select the data and display it like this: <a href="http://www.website.com">Website</a> The link does not work. Should I be doing it the "standard" way: <a href="http://www.website.com">Website</a> ??? I thought the idea was to remove the " and ' for security reasons .. ?? What am I missing .. ?? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 30, 2012 Share Posted November 30, 2012 The real question is why would you store html markup in the database? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 30, 2012 Share Posted November 30, 2012 I thought the idea was to remove the " and ' for security reasons .. ?? Just what exactly is it you are trying to secure against? If it's to prevent links that are submitted to your script from being click-able links, you succeeded. The link is no longer a problem because it isn't a link any more. Quote Link to comment Share on other sites More sharing options...
spacepoet Posted November 30, 2012 Author Share Posted November 30, 2012 The real question is why would you store html markup in the database? Because the person I am doing this for wants to be able to copy and paste affiliate-like ads and display them on his site .. The code generated comes with markup ... This isn't a public form; it is in an admin area .. but I am trying to make it as safe as possible .. I assume this is not possible (the way I was trying to do it) .. ?? Quote Link to comment Share on other sites More sharing options...
spacepoet Posted November 30, 2012 Author Share Posted November 30, 2012 Because the person I am doing this for wants to be able to copy and paste affiliate-like ads and display them on his site .. The code generated comes with markup ... This isn't a public form; it is in an admin area .. but I am trying to make it as safe as possible .. I assume this is not possible (the way I was trying to do it) .. ?? Is this: $myData = mysql_real_escape_string($_POST['myData']); secure enough .. ?? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 30, 2012 Share Posted November 30, 2012 It isn't working because your changing the data instead of escaping it. Then when you echo the data the quotes are no longer quotes, they're html entities designed to be rendered and displayed by the browser. Quote Link to comment Share on other sites More sharing options...
spacepoet Posted November 30, 2012 Author Share Posted November 30, 2012 OK .. thank you for that .. Can you show me an example of what you mean by escaping the data ... ?? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 30, 2012 Share Posted November 30, 2012 You'd just do it the exact same way you should be escaping all user data, with mysql_real_escape_string. EDIT: Assuming you're using MySQL, of course. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.