| Re: Form fields to database and back? [message #174571 is a reply to message #174563] |
Sat, 18 June 2011 06:35  |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
bobmct wrote:
> From field to database I used mysql_real_escape_string.
>
> When I look at the actual data stored in the db field that function
> inserted backslashes before each double quote.
>
> To display the retrieved db field I ran it through htmlspecialchars()
> but the backslashes still remained. I had to use stripslashes to
> remove them.
Then you are doing something wrong. mysql_real_escape_string() – AISB,
prepared statements (PS) with MySQLi or PDO are preferable to that – only
escapes the data for the query, so that SQL code injection is prevented.
It does _not_ change the data to be stored. So when you retrieve the data
you should not need to unescape anything. Perhaps you have used
mysql_real_escape_string() on the retrieved data also, but that is _not_ its
purpose.
> Works for now.
By chance. mysql_real_escape_string() does more than addslashes(), which is
why it is preferable to that. (And PS are preferable to it because they
consider the type automatically, among other advantages.)
PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]