[Phpwm] escape hell!

Phil Beynon phil at infolinkelectronics.co.uk
Thu Jun 29 22:43:57 BST 2006

> > Depends what the array is part of, but if its going to a database or  
> > something then why not use htmlentities() to replace the apostrophes  
> > etc, that should make it safe enough.
> >
> > Regards,
> >
> > Phil
> >
> If it's going to a database, you should be using the db-specific escape  
> functions (e.g. mysql_real_escape_string), addslashes isn't really  
> sufficient.
> htmlentities by default won't do anything to single-quotes anyway, you  
> need to pass it ENT_QUOTES (I think...) as the 2nd argument, and I'd  
> personally leave the application of that until the data is being 
> displayed  
> in a html page.
> Greg

Yep - In-house this is reffered to here as the "O'Reilly problem" after when out nice building industry site which we thought had been tested in every conceiveable way died screaming in front of the customers board of directors when the second person who signed up had the aforementioned name! :-)



More information about the Phpwm mailing list