123guy Posted January 6, 2013 Share Posted January 6, 2013 is there a way to automatically replace all characters inside of a posted variable that could end query? the variable could be something such as $_POST['item'] being "the dog is 12" long". I need the " after 12 to be replaced with it's code so that the query doesn't end after 12. I know I could use str_replace to do it, but I was wondering if there is any way I could do this for all characters that may happen to interfere with the query. Sorry if this is an obvious answer, but I am pretty new to php. what is the easiest way to do this? Quote Link to comment https://forums.phpfreaks.com/topic/272768-replace-all-characters-that-could-end-query/ Share on other sites More sharing options...
Pikachu2000 Posted January 6, 2013 Share Posted January 6, 2013 All string type user data should be escaped before being allowed anywhere near a query string. mysql_real_escape_string or mysqli_real_escape_string, depending on whether you use mysql or mysqli extension functions. Quote Link to comment https://forums.phpfreaks.com/topic/272768-replace-all-characters-that-could-end-query/#findComment-1403703 Share on other sites More sharing options...
123guy Posted January 6, 2013 Author Share Posted January 6, 2013 thanks! that is what I needed! one other question, is there any way to also make it so that when I pull it from the database it is able to sense line breaks or new paragraphs? I use a text area for user to input value, and database shows when and where the pressed the "return" key, but when I then pull it from the database, it does not show that the return key was pushed. how can I make it so that it shows up exactly how the user entered it? Quote Link to comment https://forums.phpfreaks.com/topic/272768-replace-all-characters-that-could-end-query/#findComment-1403707 Share on other sites More sharing options...
Christian F. Posted January 6, 2013 Share Posted January 6, 2013 (edited) You really should be looking into the htmlspecialchars () and the nl2br () functions, in addition to real_escape_string (). Those are just three examples of "output escaping", a subject which I strongly recommend reading more up on. That'll not only save you a lot of headaches with your users' content, but it'll also help make your site secure and protect it against some of the most common attacks online. Input validation is another piece of the puzzle. In addition to help securing your application further, it'll also help you inform your users when they've (tried to) post some "illegal" content. Which means you can repopulate the form, and show them nice and helpful error messages, instead of just failing miserably. PS: The PHP manual is a great resource for anything PHP-related. If you're wondering about a specific function, you can look it up directly by using the following address: php.net/{function} So, for htmlspecialchars () that URL becomes php.net/htmlspecialchars. Edited January 6, 2013 by Christian F. Quote Link to comment https://forums.phpfreaks.com/topic/272768-replace-all-characters-that-could-end-query/#findComment-1403762 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.