Few questions (auto-returns & ' in user input and other)

Craig321 · 9 Oct 2006 at 16:54

Hi,

When a user submits something into my code it is then submitted into a MySQL database... before the data passes through my coding I stick strip_tags() around the $_POST['']. Should I be also sticking htmlspecialchars() the $_POST['']s ?

Also, when a user puts carriage returns in say... a comment I'd like it to submit to the database WITH those carriage returns. How can I do that please?

One last thing, as you all know ' are used a lot in SQL injection so they need to be removed which is what strip_tags() does. Anyway, when a user does submit e.g. the word "that's" it gives an error due to the '. How can I safely allow users to submit ' when they're used properly?

Thanks,
Craig.

toastyman · 9 Oct 2006 at 16:56

Craig321 said:
One last thing, as you all know ' are used a lot in SQL injection so they need to be removed which is what strip_tags() does. Anyway, when a user does submit e.g. the word "that's" it gives an error due to the '. How can I safely allow users to submit ' when they're used properly?

Code:

$str = htmlentities($str);

That should do the job

Beansprout · 9 Oct 2006 at 17:00

php.net/mysql_real_escape_string for data going into SQL queries.

htmlentities() on the way out, ie for data being pulled from anywhere and being outputted to a page.

"\r\n" converted to " " (or for HTML) to retain carriage returns entered through a browser

Craig321 · 9 Oct 2006 at 17:22

Beansprout said:
php.net/mysql_real_escape_string for data going into SQL queries.

I thought I only needed that when doing a SELECT ... WHERE blah = '$blah' ? I've been using the quote_smart() function from the escape string page on php.net for those.

Beansprout said:
htmlentities() on the way out, ie for data being pulled from anywhere and being outputted to a page.

So should I be doing htlmentities($_POST['blah']) instead of strip_tags($_POST['blah']) ?

Beansprout said:
"\r\n" converted to " " (or for HTML) to retain carriage returns entered through a browser

Thanks very much, did:

$input = str_replace("\r\n", " ", $input);

Works 100%

THanks,
Craig.

Craig321 · 9 Oct 2006 at 17:38

Ok, I think I managed to firgure it out, but could you guys check over it please?

I've done this:

Code:

$str = htmlentities($_POST['blah'], ENT_QUOTES);

This now allows me to post "that's" or another word with ' in it through the form and it successfully converts it to:

Code:

that&# 03 9;s

in the database. (Without the spaces)

I also submitted <?php $_GET['i']; ?> to see if it'd print the text or output the code (eep). It posted this to the database:

Code:

&lt;?php $_GET['i']; ?&gt;

All seems good, can someone confirm it is please?

EDIT

Also, I guess I don't need to use htmlentities or strip_tags in file uploading as even if someone does submit the data from another form it'll have to process the data through my upload code which won't accept it.

Thx,
Craig.