Forum Moderators: coopster
quick question here is part of one of my functions (I have magic_quote_qpc set to off):
function addToDb(){
$cleanTitle = html_entity_decode(mysql_real_escape_string($_POST['title']));
$sql="
INSERT INTO table (coltitle)
VALUES ('$cleanTitle')
";
...
that is supposed to escape 'dangerous' characters.
It seems to work (i.e. I can see the \) if I print $cleanTitle and do not INSERT.
But when do INSERT it to the db I cannot see the \. Is it normal? Is the data safe once it's in the db? do I need to stripslashes on output (I already use htmlentities) if no backslashes are stored in the db?
Cheers
le_gber
I`m guessing the reason why you aren`t seeing any escaped chars is because you are running the mysql_escape_string BEFORE you are running html_entity_decode. When the first function runs, there are no problems because the chars are entities.
Try changing them around:
mysql_real_escape_string(html_entity_decode($_POST['title']));
dc
I tried with only mysql_real_escape() without the html_entity_decode() and still can't see them in the db.
using
$string = "It's a great day to learn PHP and MySQL";
mysql_real_escape_string($string) // It\'s a great day to learn PHP and MySQL
will give me
It's a great day to learn PHP and MySQL
in my db and
It\'s a great day to learn PHP and MySQL
if I print it straight away.
So I guess that having ' and " in a db is quite 'safe' after all.
Cheers
le_gber
ps. and I guess that means I don't have to use stripslashes on the outputting functions
dc
