"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:GJ******************************@comcast.com. ..
gzerphey wrote:
>Thank you in advance for helping.
I have a bit of a problem with MySQL and PHP working together. More
specifically when i use htmlspecialchars() to encode my text then load
it into the database, it is interpreting the special characters and
decoding them.
Is there any way that I can perserve this coding and make sure it says
in my database?
Example:
Here is what is entered -- t%20t
Here is what is showing in the database now -- t t
here is what I would like to see -- t%20t
Thank you again,
htmlspecialchars() is for displaying special characters, not storing them
in the database. You should be using it to display the data, not place it
in the database.
What you should do is store the data as is entered (use
mysql_real_escape_string() to handle any database-specific special
characters).
(Apologies for thread hijacking...)
I took a look at the PHP documentation for mysql_real_escape_string()
(
http://uk.php.net/manual/en/function...ape-string.php) and saw
an example of an 'SQL Injection Attack' (Example 2 on that page) along with
their solution (Example 3).
In their example, wouldn't magic quotes be sufficient to thwart the attack?
In their example, someone supplies $_POST['password'] of "' OR ''='". With
magic quotes on, this would become "\' OR \'\'=\'", correct? When used in
their example query, this would be:
SELECT * FROM users WHERE user='username' AND password='\' OR \'\'=\''
Wouldn't that be okay?
I would be grateful if someone could point out any misunderstandings I have.
Thanks.
A.