[RESOLVED] Using multiple commands

guigrrl

How do you use all of these commands on a single insert entry?
addslashes(), stripslashes(), htmlspecialchars(), htmlentities()

how would you use it on something such as this: $result = mysql_query("UPDATE products SET mainContent = '$mainContent';");

Anyone have a clue?

Thanks

Lisa

Merve

Why would you be using addslashes() and stripslashes() on the same entry? What is it that you are trying to do? Please clarify.

guigrrl

I would like to be able to put simple tags (, <bold>, , , etc.) with text in a text field. Once they are entered and submitted (along with the text that is affected by the tags), I'd like them to display properly -- so if I entered this word it would display in italics.

The text is currently dumping in the dbase and I can retrieve it -- but I can't get the tags to dump and since they don't dump, I can't get them to display the text proplerly.

cahva

Usually if I put something in the database, I just use mysql_real_escape_string and when used, then parse it like I want. Ofcourse you can strip tags when inserting.Something like this should do the trick:

$allowedtags = '<em><bold><br><strong><i>';
$mainContent = mysql_real_escape_string(strip_tags($_POST['mainContent'],$allowedtags));
$result = mysql_query("UPDATE products SET mainContent = '$mainContent'");

guigrrl

AAH! I totally get it -- so I have to define what is allowed. Geez. Thanks so much! I am going to try this!

Lisa

Jack_McSlay

in that case I dont see why should you use htmlentities or htmlspecialchars. these should be used when you DON'T want to allow users to input HTML tags, causing it to display text instead of text

I highly recommend using it tho, because malicious users might try to input javascript in your page using it.

as for the sql if should suffice to escape it with addslashes (mysql_real_escape_string() is the best choice actually) don't do anything with htmlspecialchars() or htmlentities() before entering data into the DB or you'll only get headaches.

also, remember to check the magic_quotes_gpc settings in php.ini. If it's enabled it will escape everything coming from GET, POST or COOKIE beforehand, so you'd be escaping the strings twice if you don't un-escape them with stripslashes() first (or not modify at all, in case you decide to use addslashes(), because you'd be wasting processing time).

guigrrl

WHOOT! This toally works!

guigrrl

whoops -- TOTALLY. Thanks so much for the help!