MySQL Forums
Forum List  »  PHP

handling nasty characters in MySQL with php
Posted by: chris hearn
Date: April 21, 2005 04:28PM

Hi there,
I am trying to decide on a rational way to keep my web app reasonably secure from attack but also to handle awkward characters ( such as ampersand, quotes, forward/backslashes etc) in string data properly. I have got myself confused, so any (helpful) comments would be welcomed!

Assume the next line is entered by a user in a form text field...(as writ)
Mr O'Reilly & my mate "Jim"

so this gets posted to the server, and ends up in $foo=$_POST(['myformvar'];

Question - has it got mangled by the time it gets into $foo already?
If so, how to stop it?

Now to store $foo into my table...

I assume I need to escape the data before trying to insert it into the MySQL table? so
$foo= addslashes($foo) ;

now i can put it into MySQL by enclosing in single-quotes with something like this..
$sql= "UPDATE `mytable` myfield1='.$foo.' WHERE ID=1"

and the whole string should end up stored properly in the table ? because I escaped it first?

When I extract the data and put it back in $bar...
$sql = "SELECT myfield1 FROM `mytable` WHERE ID=1";
(plus php code stuff to run the query, put the result field back into variable $bar )

so now I need to $bar= stripslashes($bar); or otherwise any comaprisons I make with user data will not work?
and then carry on with code, comparisons etc...

Is this right. please?
Does it boil down to rules:
1) "must addslashes to ALL string fields before putting into table,
2) must IMMEDIATELY stripslashes on ALL string data coming out of a table, before using it

Please comment.. sorry it's rather a long post!


Options: ReplyQuote

Written By
handling nasty characters in MySQL with php
April 21, 2005 04:28PM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.