NYCPHP Meetup

[Eugenio Tacchini]

2012/5/2 Federico Ulfo <rainelemental at gmail.com>:
> All you want to escape for MySql is ' and \.
> In javascript you have to consider also double quote " and new line \n,
> which is equivalent to use semicolon ;
> In HTML you want also to be secure from XSS, so you want to use
> htmlspecialchars (as Rob said).
>
> Anyway, I'm not sure I understood your problem, so I strongly recommend to
> deactivate GPC, which you can do from php.ini, or by stripslashing the input
> variables:
> http://php.net/manual/en/security.magicquotes.disabling.php
>
> Instead if your contents is already escaped and your problem is to
> un-escape, try to understand how is escaped, then str_replace or
> preg_replace will do the job!

Yes, that's one point, it's not always clear what the escape functions
did (unless you don't want to look inside the PHP source code) :)



------------------
Eugenio Tacchini

dadabik.org DaDaBIK database front-end