Home > Archive > PHP Pear > October 2007 > Re: [PEAR] MDB2 autoExecute escaping data
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PEAR] MDB2 autoExecute escaping data
|
|
|
| Mark Steudel wrote:
> Hi All, I thought I've asked this before but couldn't find it in the
> archives, and couldn't find it in the pear docs.
>
> I having problems with extra slashes showing up in my data and was wondering
> if mdb2 by default does it's own escape strings when using autoExecute?
>
I don't think so. Have you checked whether or not magic quotes is enabled?
if (get_magic_quotes_gpc()) ...
brian
| |
| Mark Steudel 2007-10-07, 7:03 pm |
| I think I'm checking for that, here's the code I am running:
// convert to html entities
$html = htmlentities( $_POST['content'], ENT_QUOTES );
// check if magic quotes gpc is on, remove slashes
if( get_magic_quotes_gpc() )
{
$data = stripslashes( $html);
}
// then use real escape function
$html= mysql_real_escape_string( $html);
$field_values['content'] = $html;
$mdb->autoExecute( 'tableName', $field_values );
-----Original Message-----
From: brian [mailto:brian@zijn-digital.com]
Sent: Sunday, October 07, 2007 5:36 PM
To: pear-general@lists.php.net
Subject: Re: [PEAR] MDB2 autoExecute escaping data
Mark Steudel wrote:
> Hi All, I thought I've asked this before but couldn't find it in the
> archives, and couldn't find it in the pear docs.
>
> I having problems with extra slashes showing up in my data and was
wondering
> if mdb2 by default does it's own escape strings when using autoExecute?
>
I don't think so. Have you checked whether or not magic quotes is enabled?
if (get_magic_quotes_gpc()) ...
brian
--
PEAR General Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
| |
|
| Mark Steudel wrote:
> I think I'm checking for that, here's the code I am running:
>
> // convert to html entities
> $html = htmlentities( $_POST['content'], ENT_QUOTES );
>
> // check if magic quotes gpc is on, remove slashes
> if( get_magic_quotes_gpc() )
> {
> $data = stripslashes( $html);
> }
>
> // then use real escape function
> $html= mysql_real_escape_string( $html);
>
> $field_values['content'] = $html;
>
> $mdb->autoExecute( 'tableName', $field_values );
>
Don't pass your data to mysql_real_escape_string(). The MDB2 wrapper
will handle escaping/quoting. When using a DB wrapper one should
generally avoid mixing in database-specific function calls.
brian
| |
| Christian Schmidt 2007-10-07, 7:03 pm |
| Mark Steudel wrote:
> I think I'm checking for that, here's the code I am running:
>
> // convert to html entities
> $html = htmlentities( $_POST['content'], ENT_QUOTES );
>
> // check if magic quotes gpc is on, remove slashes
> if( get_magic_quotes_gpc() )
> {
> $data = stripslashes( $html);
> }
Generally, you should call stripslashes() before anything else, i.e.
before htmlentities().
Christian
| |
| Justin Patrin 2007-10-08, 4:09 am |
| On 10/7/07, Christian Schmidt <pear.php.net@chsc.dk> wrote:
> Mark Steudel wrote:
> Generally, you should call stripslashes() before anything else, i.e.
> before htmlentities().
>
Then again you really shouldn't be running htmlentities on data you're
insertinng into the DB in the first place.
--
Justin Patrin
| |
| Mark Steudel 2007-10-08, 8:06 am |
| Why isn't it a good idea to be running htmlentities on the data before hand?
It is raw HTML, if that makes any difference.
Thanks, Mark
-----Original Message-----
From: Justin Patrin [mailto:papercrane@gmail.com]
Sent: Monday, October 08, 2007 5:48 AM
To: Christian Schmidt
Cc: pear-general@lists.php.net
Subject: Re: [PEAR] MDB2 autoExecute escaping data
On 10/7/07, Christian Schmidt <pear.php.net@chsc.dk> wrote:
> Mark Steudel wrote:
> Generally, you should call stripslashes() before anything else, i.e.
> before htmlentities().
>
Then again you really shouldn't be running htmlentities on data you're
insertinng into the DB in the first place.
--
Justin Patrin
--
PEAR General Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
|
|
|
|
|