Posted by ZeldorBlat on 10/16/07 17:05
On Oct 16, 12:32 pm, red...@hotmail.com wrote:
> Hi
> I have a webform with many free text fields and have a problem with
> apostrophes and single quotes as this breaks the mysql query string.
>
> I obviously need to escape these characters - magic_quotes_gpc sounds
> ideal but is not an option as I don't have access to the php.ini file
> and it is currently set to 0.
Don't use magic quotes. Not only is it going away but it will just
make things more difficult in the long run.
>
> I could use either addslashes or mysql_real_espcape_string but do I
> have to apply this to every field individually or is there a way to do
> it to all in one go?
> Any advice on the most suitable method and how to do it in one go
> would be greatly appreciated.
>
People often just escape everything in the $_GET and $_POST arrays
before doing anything with their values. While that might "work," I
really don't recommend it. It's lazy and confines you in several
ways. What if you need to use that data somewhere besides a query?
What if using it elsewhere requires a different kind of escaping (like
htmlentities)?
Escaping should be done as close as possible to the point where it
needs to be escaped -- in the case of SQL queries, escape the data
when you use it in the query:
$query = 'update foo set bar = "' .
mysql_real_escape_string($_GET['baz']) . '" where xyzzy = 42';
[Back to original message]
|