database safe text

Anon

Hi,

I am looking for a good way to format text string before inserting them into a database. I wish to remove DB harmful charachers such as '.

this is what I currently have:

function db_s($in_string)
{
$str_out = str_replace("\'", "`", $in_string);
return $str_out;
}

db_s($textstring)

The problem is that it does'nt seem to work on large blocks of HTML....

any ideas or better solutions would be great.

Anon

You can use mysql_escape_string().

Diego

Anon

thanks.. that is a handy function and I will be sure to use it at times. But I really just want to replace all ' chars with ` any ideas? 😉

deathrider

If you just want to change it to be able to insert it into the database, you could use addslashes() to add escape backslashes, or if you want it only for html display you can also use htmlspecialchars(), which will convert " ' < > (not sure if he converts more, check php.net) to html codes.

I mostly use seld defined filter functions...to convert strings for different purposes...like database insertion, form display, html display etc.

i hope that helps 🙂

Anon

Hmm, is the ' character harmful to the database, I know it messses it up html form tags, but I never had any problems with direct population.

by the way use:
$str_out = str_replace("'", "`", $in_string);

without the slash.

deathrider

The slash is added automatically...depending on where he wants to replace the ', his way is correct 🙂 - but as i said, it depends at which stage you want to replace it.