|
Posted by "bruce" on 10/21/49 11:27
hey chris...
thanks!!
but what do you mean by "...escape output!!"
is that output of the query, which is input to the db?
as i understand it, you escape the query vars, after filtering/validation,
that you're going to touch the db with... (insert/update/select)
am i on your same wavelength??
-bruce
-----Original Message-----
From: Chris Shiflett [mailto:shiflett@php.net]
Sent: Thursday, September 22, 2005 7:15 PM
To: bedouglas@earthlink.net
Cc: 'Chris W. Parker'; php-general@lists.php.net
Subject: Re: [PHP] basic user/input form questions... more validation!
bruce wrote:
> not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
> i expect that i'll get the same out... which is what some of the
> articles i've seen have stated.. are you telling me, and are you sure,
> that i'd get "foo ' cat" out instead!!????
>
> the articles i've seen imply that if you addslashes, you also need to
> stripslashes on the backend...
You're reading the wrong articles. :-)
Escaping is something you do to preserve data, period. If you have data
that is going to enter a context where it can be considered anything
other than data, it needs to be escaped. I often simplify this by
suggesting that you always escape output.
I did a podcast about this topic a few weeks ago:
http://pro-php.com/index.php?post_id=10
I also wrote a small followup blog entry:
http://shiflett.org/archive/133
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|