Jump to content

Recommended Posts

is there a way to automatically replace all characters inside of a posted variable that could end query?

the variable could be something such as $_POST['item'] being "the dog is 12" long". I need the " after 12 to be replaced with it's code so that the query doesn't end after 12. I know I could use str_replace to do it, but I was wondering if there is any way I could do this for all characters that may happen to interfere with the query. Sorry if this is an obvious answer, but I am pretty new to php. what is the easiest way to do this?

All string type user data should be escaped before being allowed anywhere near a query string. mysql_real_escape_string or mysqli_real_escape_string, depending on whether you use mysql or mysqli extension functions.

thanks! that is what I needed! one other question, is there any way to also make it so that when I pull it from the database it is able to sense line breaks or new paragraphs? I use a text area for user to input value, and database shows when and where the pressed the "return" key, but when I then pull it from the database, it does not show that the return key was pushed. how can I make it so that it shows up exactly how the user entered it?

You really should be looking into the htmlspecialchars () and the nl2br () functions, in addition to real_escape_string (). Those are just three examples of "output escaping", a subject which I strongly recommend reading more up on. That'll not only save you a lot of headaches with your users' content, but it'll also help make your site secure and protect it against some of the most common attacks online.

 

Input validation is another piece of the puzzle. In addition to help securing your application further, it'll also help you inform your users when they've (tried to) post some "illegal" content. Which means you can repopulate the form, and show them nice and helpful error messages, instead of just failing miserably. ;)

 

PS: The PHP manual is a great resource for anything PHP-related. If you're wondering about a specific function, you can look it up directly by using the following address:

php.net/{function}

So, for htmlspecialchars () that URL becomes php.net/htmlspecialchars. ;)

Edited by Christian F.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.