PHP RSS PHP RSS

mysql_real_escape_string escapes char entities?

Reply

Join Date: Jan 2008
Posts: 401
Reputation: CoolGamer48 is on a distinguished road 
Solved Threads: 40
CoolGamer48's Avatar
CoolGamer48 CoolGamer48 is offline Offline
Posting Pro in Training

mysql_real_escape_string escapes char entities?

 
0
  #1
Sep 12th, 2008
Does mysql_real_escape_string() escape HTML character entities? I want people on my comment board to be able to post quotes in their comments, but they get escaped as raw ascii, so I run them through htmlentities() first, but it doesn't help. I only get it to work when I remove mysql_real_escape_string(), like this:
PHP Syntax (Toggle Plain Text) 
  1. nl2br(strip_tags(/*mysql_real_escape_string(*/htmlentities($_POST["comment"],ENT_QUOTES)))/*)*/
. Is this expected?
I'm a student. If my statements seem too absolute, feel free to coat them with "In my opinion..." or "I believe...".
Reply With Quote Quick reply to this message  
Join Date: May 2007
Posts: 431
Reputation: Atli is on a distinguished road 
Solved Threads: 56
Atli's Avatar
Atli Atli is offline Offline
Posting Pro in Training

Re: mysql_real_escape_string escapes char entities?

 
0
  #2
Sep 12th, 2008
Hi.

It shouldn't do that, no.

You code works like expected on my server.
Using the following code:
php Syntax (Toggle Plain Text) 
  1. $comment = $_POST['comment'];
  2. if(get_magic_quotes_gpc()) $comment = stripslashes($comment);
  3.  
  4. echo nl2br(strip_tags(mysql_real_escape_string(htmlentities($comment,ENT_QUOTES))));
The following string: He said: "What's up?"
Is converted into : He said: "What& #039;up?"
(Added a space in the single-quote HTML char. The forum would show it correctly otherwise.)

Just as expected.

I would question the need to convert them into HTML entities tho.
The mysql_real_escape_string function should make sure all quote-marks are safely inserted into the query, which should allow you to show them in your HTML without problems.

Personally I wouldn't alter the comment at all before inserting them into the database, other than using the mysql_real_escape_string function of course. I would prefer to do that when I present the data.
You never know if you need to change the way the data is displayed, and having the data in it's original form will make that easier.
Last edited by Atli; Sep 12th, 2008 at 8:48 pm.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the PHP Forum
Thread Tools Search this Thread



# 5.2.10 alexa apache api array beginner binary broken cakephp checkbox class clean clients cms code cron curl database date directory display dissertation dynamic echo echo$_get[x]changingitintovariable... email encode error fairness file files folder form forms function functions google href htaccess html image images include indentedsubcategory insert ip javascript joomla legislation limit link local login mail memberships menu mlm multiple multipletables mysql mysqlquery newsletters oop open paypal pdf persist php problem provider query radio random recursion remote rss script search server sessions simple sms sockets source space spam sql syntax system table tutorial update upload url validator variable video web youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC