Posted by Tony on 10/07/76 11:17

<no@emails.thx> wrote in message
news:bftl91p3ja0eq4a5rdui5ctgbaiae3od8q@4ax.com...
> Hi
>
> I use mysql_escape_string() to escape all my form-entered fields,
> mainly to prevent malicious code injection. But what is the best way
> to unescape them in the code? I can see stripslashes() does the job,
> but it seems very cumbersome and i'd need to stripslashes() every
> field after every SELECT, which seems a real pain in the ass.
>
> What do most of you do with SELECTed data? Do you have a
> function/class and unescape the fields in there - or do you unescape
> them at the stage when the data is displayed/used?
>

When I'm doing it for fields primarily intended for browser display (like
this example:
http://www.wherecanifindweb.info/sfbe-php/showlistings.php?which=browse ), I
actually process the escape characters before saving to the database - I
change them to HTML escape sequences, like &quot;

I do have to re-process them for EDITING, but not for any simple display.

• Next in forum: Re: search string
• Prev in forum: Re: MySQL Capabilities
• Thread view: Re: Escaping/Unescaping - what's the best way to do it?

[Reply to this message]