Home > Archive > PHP DB > March 2004 > escape chars continued
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
escape chars continued
|
|
| Matthew Perry 2004-03-26, 11:12 pm |
| Filip de Waard wrote:
[color=darkred]
>
> On Mar 22, 2004, at 12:17 PM, Jimmy Brock wrote:
>
>
>
> Actually, you shouldn't use addslashes, but a database specific
> function like mysql_escape_string().
>
> http://phundamentals.nyphp.org/PH_storingretrieving.php
>
> Regards,
>
> Filip de Waard
>
Actually I think the problem is before you can use either addslashes or
mysql_escape_string() functions. The value with " or ' never reaches
the database. I think I need a way to ignore quotes for input values in
HTML.
Say I have this:
<input type="text" size = "2" name="Q">
And my user enters: 2 " copper tubing
The value for "Q" will be: 2
When I add it to the database with addslashes there will be no ", ' or \
to add a slash to!
And when I retreive it from the database and use mysql_real_escape()
there will be the same problem.
Thank you for your time, and yes I am the real Matthew Perry of course.
Matthew Perry
| |
| Brock Jimmy D Contr Dodhsr5 2004-03-26, 11:12 pm |
| In your sample code the value is being truncated because size="2" -- so only 2 characters are being assigned to $_POST['Q']
Addslahses should work...
Based on your example here is how (I changed the size to 50:
<input type="text" size="50" name="Q">
And my user enters: 2 " copper tubing
$q = addslashes($_POST['Q']; // new value for Q is: 2 \" copper tubing
Now insert $q into your database
When you want to display this value from the database onto your webpage use stripslashes
stripslashes($row['q']; // this will remove the backslash that was inserted from addslashes
Hope this helps,
Jimmy Brock
-----Original Message-----
From: matthew perry [mailto:mwperry@mail.uh.edu]
Sent: Monday, March 22, 2004 9:44 AM
To: PHP-DB php
Subject: escape chars continued
Filip de Waard wrote:
[color=darkred]
>
> On Mar 22, 2004, at 12:17 PM, Jimmy Brock wrote:
>
>
>
> Actually, you shouldn't use addslashes, but a database specific
> function like mysql_escape_string().
>
> http://phundamentals.nyphp.org/PH_storingretrieving.php
>
> Regards,
>
> Filip de Waard
>
Actually I think the problem is before you can use either addslashes or
mysql_escape_string() functions. The value with " or ' never reaches
the database. I think I need a way to ignore quotes for input values in
HTML.
Say I have this:
<input type="text" size = "2" name="Q">
And my user enters: 2 " copper tubing
The value for "Q" will be: 2
When I add it to the database with addslashes there will be no ", ' or \
to add a slash to!
And when I retreive it from the database and use mysql_real_escape()
there will be the same problem.
Thank you for your time, and yes I am the real Matthew Perry of course.
Matthew Perry
|
|
|
|
|