FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Form fields to database and back?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Form fields to database and back? [message #174555 is a reply to message #174538] Fri, 17 June 2011 20:03 Go to previous messageGo to previous message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
Senior Member
bobmct wrote:

> A typical field the user would enter would be like this:
>
> prd ="^ptmdtr-slb.bna.com^";
>
> I need to store it in the db field then be able to retrieve it and
> redisplay it exactly as entered.
>
> Currently I am using:
> $fld = htmlspecialchars_decode($fld);
> $fld = addslashes($fld);
>
> update table set field_name = '$fld'

This does not make sense. Either you are writing a CMS, then you should
store all markup verbatim (after removing potentially unwanted elements).
Or you are not, then you should not be receiving markup in the first place.

Unless you write for debugging, you could combine the calls:

$fld = addslashes(htmlspecialchars($fld));

But not even debugging merits two assignments here. (Note that this is just
an example. Do not use addslashes() here.)

If this is just a bad example, then consider this: You should avoid using
such PHP built-ins to escape parts of a database query. addslashes() is
inadequate() to the task. Use extension-provided functions, like
mysql_real_escape_string() or (better) prepared statements (as supported
e.g. by PDO, MySQLi, and sqlsrv, and implemented e.g. by Zend Framework).

> To retrieve and redisplay I use:
> $fld = $row['field_name'];
> $fld = htmlspecialchars($fld);
> $fld = stripslashes($fld);

I do not see why stripslashes() is needed (other than to compensate for the
pointless addslashes() before). htmlspecialchars() is only needed in the
output (so unless you are displaying a value twice, `echo' the return value
of htmlspecialchars() directly – unless your template engine/framework
already does that for you before, which it should be able to if it is any
good), and you should provide suitable additional parameters then (so that,
e.g., Unicode characters can be properly decoded and referred in the
markup).

Of course, you do not need or want to escape all dynamically generated
content, only where it matters (given a proper character encoding,
especially one that is the same in the database and the generated document,
and you making sure that no unwanted HTML is stored/retrieved in the first
place, there is no need to escape the generated content of elements.) Not
trying to escape things that do not need to be escaped can have positive
impact on the performance of a Web application (if you know the value is an
int – as made sure by a properly designed interface –, you don't have to
treat it like a string).


PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: free computer ebooks updated daily
Next Topic: IP address and empty $_FILES
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 09 23:25:12 GMT 2024

Total time taken to generate the page: 0.03515 seconds