|
Posted by Chris Shiflett on 10/21/13 11:27
bruce wrote:
> not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
> i expect that i'll get the same out... which is what some of the
> articles i've seen have stated.. are you telling me, and are you sure,
> that i'd get "foo ' cat" out instead!!????
>
> the articles i've seen imply that if you addslashes, you also need to
> stripslashes on the backend...
You're reading the wrong articles. :-)
Escaping is something you do to preserve data, period. If you have data
that is going to enter a context where it can be considered anything
other than data, it needs to be escaped. I often simplify this by
suggesting that you always escape output.
I did a podcast about this topic a few weeks ago:
http://pro-php.com/index.php?post_id=10
I also wrote a small followup blog entry:
http://shiflett.org/archive/133
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|