[RESOLVED] help with htmlspecialchars

Nells

I need a little help, with something that happened today,

Created a tracking database, with a form with 8 fields to collect information.

1) Severity
2) Date
3) case #
4) Description
5) Contact
6) Owner
|drop down list
7) Category
|drop down list
8) Sub-Cat

|_drop down list

While updating the DB with a NEW RECORD, I used the "htmlspecialchars" to filter the input. Today, someone added a new record and used the text "Mirror" at the beginning of the "Description". The record was added, but the contents was a mirror image of the original text.

the syntax -

$description=(htmlspecialchars($notesall, ENT_QUOTES));

What else can I do to prevent the injection to MySql ??

😕

bradgrafelman

I'm confused, you're saying that by simply adding the word "Mirror" to the beginning of a field, the data was somehow transposed into reverse order?? For example, "Mirror Description" is outputted as "noitpircseD rorriM" ?

Anyway, since you mentioned it, note that user-data should never be placed directly into a SQL query string. Instead, it must be first sanitized with a function such as [man]mysql_real_escape_string/man (or use a newer library, such as PDO or MySQLi, which allow you to use prepared statements).

Nells

Thanks for the quick reply - was searching for a way to address this, but did not know what to search on...

I am definitely a nub to PHP & MySQl, and search this site quite often...
and have located many helpful topics (a Great Resource) !

and to answer your question, yes - all of the text was a MIRROR reflection of the input.