mysql_real_escape_string escapes char entities?

Reply

Join Date: Jan 2008
Posts: 401
Reputation: CoolGamer48 is on a distinguished road 
Solved Threads: 40
CoolGamer48's Avatar
CoolGamer48 CoolGamer48 is offline Offline
Posting Pro in Training

mysql_real_escape_string escapes char entities?

 
0
  #1
Sep 12th, 2008
Does mysql_real_escape_string() escape HTML character entities? I want people on my comment board to be able to post quotes in their comments, but they get escaped as raw ascii, so I run them through htmlentities() first, but it doesn't help. I only get it to work when I remove mysql_real_escape_string(), like this:
PHP Syntax (Toggle Plain Text) 
  1. nl2br(strip_tags(/*mysql_real_escape_string(*/htmlentities($_POST["comment"],ENT_QUOTES)))/*)*/
. Is this expected?
I'm a student. If my statements seem too absolute, feel free to coat them with "In my opinion..." or "I believe...".
Reply With Quote Quick reply to this message  
Join Date: May 2007
Posts: 455
Reputation: Atli is on a distinguished road 
Solved Threads: 56
Atli's Avatar
Atli Atli is offline Offline
Posting Pro in Training

Re: mysql_real_escape_string escapes char entities?

 
0
  #2
Sep 12th, 2008
Hi.

It shouldn't do that, no.

You code works like expected on my server.
Using the following code:
php Syntax (Toggle Plain Text) 
  1. $comment = $_POST['comment'];
  2. if(get_magic_quotes_gpc()) $comment = stripslashes($comment);
  3.  
  4. echo nl2br(strip_tags(mysql_real_escape_string(htmlentities($comment,ENT_QUOTES))));
The following string: He said: "What's up?"
Is converted into : He said: "What& #039;up?"
(Added a space in the single-quote HTML char. The forum would show it correctly otherwise.)

Just as expected.

I would question the need to convert them into HTML entities tho.
The mysql_real_escape_string function should make sure all quote-marks are safely inserted into the query, which should allow you to show them in your HTML without problems.

Personally I wouldn't alter the comment at all before inserting them into the database, other than using the mysql_real_escape_string function of course. I would prefer to do that when I present the data.
You never know if you need to change the way the data is displayed, and having the data in it's original form will make that easier.
Last edited by Atli; Sep 12th, 2008 at 8:48 pm.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the PHP Forum


Views: 832 | Replies: 1
Thread Tools Search this Thread



Tag cloud for PHP
.htaccess access ajax apache api array beginner binary broken cakephp checkbox class cms code cron curl database date directory display download duplicates dynamic echo email error execution file files folder form forms function functions google href htaccess html htmlspecialchars image include insert integration ip java javascript joomla jquery limit link login loop mail menu methods mlm mod_rewrite multiple mysql oop parse paypal pdf php phpvotingscript problem query radio random recursion regex remote script search select server session sessions sms soap source space speed sql structure syntax system table tutorial update updates upload url validation validator variable video web xml youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC