473,218 Members | 1,432 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,218 software developers and data experts.

Escaping Data and Replacing HTML for PHP/MySQL

Isn't inserting good data and getting it out of a db a pain in the a$$?

I am going to be using the Markdown text to HTML parser
(http://daringfireball.net/projects/markdown/dingus) for creating HTML
from user input (for a bespoke CMS) so that users can put in their own
headings, lists and links etc.

This is great and gets round all the issues of apostrophes etc. when
inserting informaiton into a database for me.

However for other fields such as Username, First Name, Address etc. I
still need to be able to cleanly add in slashes (as well as other HTML
elements such as $ and &).

Is there a good solid idiot proof solution to this, bearing in mind
that from server to server things like magic quotes will change.

My thoughts are to create a function like this below to use before
constructing SQL statements:

function prep_for_db( $value ) {
if ( ini_get('magic_quotes_gpc') != true ){
$value = addslashes( $value );

//some other XHTML related find and replace stuff for &, $, etc.

return $value


The second issue is that of replacing elements such as &, $ and (is
there a function out there for replacing these chars or do I need to
build my own?). If I replace these with things like & they will
start taking up my characters in my db fields. Would it be prudent to
just parse text on the way out of the db or is this gonna slow down
general browsing?

Any help and advice from more experienced PHPers would be greatly



Sep 21 '05 #1
2 2008
thehuby wrote:
The second issue is that of replacing elements such as &, $ and (is
there a function out there for replacing these chars or do I need to
build my own?).


You may want to start here:

Sep 21 '05 #2
Thanks for that..they don't appear to escape all the characters I want,
I think I may need to build my own search and replace funciton to deal
with the ones I need (dollar for example is not covered in either
function) for XHTML and Accessibility compliance.


Sep 22 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Reply Via Newsgroup Thanks | last post by:
Folks, This questions is directed towards PHP/MySQL folk and relates to escaping hooks, apostraphe's and other characters that can create a security hole when writing to databases/files. I've...
by: Dave Smithz | last post by:
Having adopted someone else's PHP cope and completing a crash course in the language I came across a (probably common) problem with the current code. On a registration form, whenever users names...
by: Dave Moore | last post by:
Hi All, Can anybody point me to a FAQ or similar that describes what all this stuff is about please?. I'm interfacing with a MySQL database if that's relavent. I've read a couple of books which...
by: Ian Rastall | last post by:
Sorry for the double question. I'm having a terrible time figuring out how to escape apostrophes in my mySQL database. Perhaps they have to be escaped in the PHP, using mysql_real_escape_string? ...
by: Lisa | last post by:
I need to apply the HTML formatting tags and the French accented characters in a XML document. The XML is generated from a database that has HTML tags and French accented characters in the records....
by: Mitchell Vincent | last post by:
Is there some built in functionality to escape special characters for use through ADO? I'm sure I could manually replace the ' with ' (if that is the right escape sequence), but I'm afriad I just...
by: Taras_96 | last post by:
Hi everyone, I'm having a bit of trouble understanding the purpose of escaping nulls, and the use of addcslashes. Firstly, the manual states that: "Strictly speaking, MySQL requires only...
by: David Henderson | last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't put my finger on any of the threads to see if my current problem is addressed. Sorry for re-asking the question if it...
by: Fred | last post by:
if I use mysql_real_escape_string on all INSERT or UPDATE queries, then would a stored procedure provide any extra protection? the user has to be granted UPDATE and/or INSERT privileges anyway. ...
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.