efficient way to handle string in form

enterume

Hi,

Seeking for a best way to handle the string for submiting, read and edit.

The main problem I am facing here is the " and ' . I know htmlspecialchars() would help me, but I have html tag like <font> , <b> in the string. If using htmlspecialchars() , i can't display the html entities correctly.

Any suggestion?

Thanks
Louis

laserlight

If magic_quotes_gpc is set to 1, then those quotes would be escaped.

I would recommened using:

//for storage to database
function prepIn($input) {
	$input = trim($input);
	if (!get_magic_quotes_gpc()) {
		return addslashes($input);
	}
	return $input;
}

//for o/p to html page, textbox or textarea
function prepOut($output) {
	$output = stripslashes($output);
	return htmlspecialchars($output);
}

foofoobar

I suggest turning magic_quotes off and using addslashes/removeslashes. Magic_quotes adds to the overhead and is set to off automatically in more recent versions.

laserlight

hmm, the online PHP manual still lists magic_quotes_gpc as 1 in default

foofoobar

Yep and we know that manuals are ALWAYS kept up to date. But since you seem to be a doubting thomas, allow me to point to this excerpt within the php.ini file...

; - magic_quotes_gpc = Off [Performance]
; Input data is no longer escaped with slashes so that it can be sent into
; SQL databases without further manipulation. Instead, you should use the
; function addslashes() on each input element you wish to send to a database.

laserlight

never really read my php.ini file carefully :o

still, the PHP manual is 1 manual that is remarkably well updated, though there are a fair bit of "in CVS only" entries, oh well.

philipolson

magic_quotes_gpc is on by default, you are quoting from the php.ini-recommended which is not the default php.ini ... php.ini-distributed is the default php.ini, which has this directive on.

foofoobar

Hmmm... yeah but they turn EVERYTHING on in that one, don't they?

philipolson

There isn't much difference between the two and all the differences are explained in php.ini-recommended. The main differences are with magic_quotes_gpc and display_errors as the others are "minor" and most likely will go unnoticed by most.

Btw, I of course meant php.ini-dist above 🙂

foofoobar

Ah... learn something new. So the recommended.ini explains and makes note of the differences? Thanks for the info. I didn't know that.

philipolson

Here are the latest versions:
http://cvs.php.net/co.php/php4/php.ini-recommended
http://cvs.php.net/co.php/php4/php.ini-dist

All deviations from php.ini-dist are listed and explained on top of php.ini-recommended.

foofoobar

Excellent. Thank you for the 'schoolin' sir. 🙂