Text sanitization...hmm nothing is working

php-phan

Ok so here is the code i have now

for($i=0;$i<$amount;$i++){
//This goes through all of the messages and replaces any ' with \' thatway they are //escaped. And for some reason they dont say unescaped...
//Well this works so whatever :-/ STUDY AND FIGURE OUT WHY MORE!!!!
$xml->message[$i] = preg_replace("/'/","\'",$xml->message[$i]);
}

So (as the comments say) It replaces any ' with \' which is all nice and good but when i look at what is put inside of the database (mysql) they are just ' and not \' ... why is that? Also how can i sanitize text there is no HTML and i have no way of getting attacked. This is stressing me out cause nothing is working....

dagon

why not use mysql_real_escape_string()

php-phan

i honestly have no idea, everytime i use it it doesnt escape the '...I have no idea why but that one and all the others dont work.. its strange

dagon

i suspect how ever your viewing the db contents the slashes are being removed

NogDog

When you escape text for use in SQL, it is only escaped for the actual SQL execution, not for what is stored in the database. It is essentially the same thing as escaping characters in PHP:

echo 'This here\'s a test, y\'all';

Just as the back-slashes above are only for the PHP parser and do not actually get output to the browser, so the back-slashes used as escape characters in your SQL string are only for the SQL parser, not for the actual data stored in the DB.

dagon

thanks NogDog, i have no idea what I was thinking (clearly not thinking actully) :-)

php-phan

Ok, so if i want to update something that has ' then before i update i would have to go through and parse all of the data again...Well this sucks

dagon

well if the data hasn't changed, you don't update it, so its only new data, which of course will need to be sanitised if its from a non trusted source.