Form Input

Sharif

Before submitting form data into a database (MySQL), what should be done? adding slashes, correct?

Say at the beginning of the script I declare variables that contain the form input:

$var = $_POST['x'];
$two = $_POST['x2'];

Now if I wanted to add slashes right before inserting, I'd do this:

foreach ($_POST as $key=>$value) 
{ 
      $_POST[$key] = htmlspecialchars(addslashes(trim($value)));
}

Would that still be effective if I do:

"INSERT INTO <table> (field1, field2) VALUES ('$var', '$two')";

Instead of:

"INSERT INTO <table> (field1, field2) VALUES ('$_POST['x']', '$_POST['x2']')";

Weedpacket

No, $var and $_POST['x'] would have different values by then.

It would be effective if you went

$var = &$_POST['x'];
$two = &$_POST['x2'];

Sharif

Ok What if I do:


//Add slashes first

foreach ($_POST as $key=>$value)  

{  

      $_POST[$key] = htmlspecialchars(addslashes(trim($value))); 
}

//Then make variables
$var = $_POST['x']; 
$two = $_POST['x2'];

If I were to display the form again (say the user made an error) and one of the fields were supposed to display whatever the user submit, would it display with slashes?

Weedpacket

Short answer: yes. Longer answer: try it and see.