[nycphp-talk] Best practices for form input/output between PHP & MySQL?
Analysis & Solutions
danielc at analysisandsolutions.com
Wed Sep 17 18:15:50 EDT 2003
Hi Dan:
On Wed, Sep 17, 2003 at 04:56:36PM -0400, D C Krook wrote:
>
> We take care to sanitize user input and data display by way of
> addslashes(), stripslashes(), htmlfunctions(), nl2br() and the like, but
> occasionally a legitimate backslash in a code snippet gets removed when
> updating a textarea containing some code, for example:
>
> escape(document.title.replace(/\+/g,''))
> becomes
> escape(document.title.replace(/+/g,''))
By the way your talking, it sounds like you're using stripslashes after
pulling stuff out of the database -- before displaying it. Am I reading
you right?
If so, that's not needed and leads to weird things like you're talking
about.
If not, where are you using it?
You only need to use it _once_, before putting items into a query. The
slashes won't be stored in the database.
> function sanitizeInputForDB ($strFieldInput) {
addslashes();
But, you'll also need to make sure data going to numeric fields don't have
anything except numeric characters. This is because such fields don't
need to be quoted in query strings, thus they're open to being easily
manipulated.
> function formatDataForDisplay ($strData, $isTextArea = false) {
All output should be run through htmlspecialchars(), regardless of it
being a textarea or not. That's all you need to do.
Enjoy,
--Dan
--
FREE scripts that make web and database programming easier
http://www.analysisandsolutions.com/software/
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list