htmlentities or whatever

harkly

Trying to add security to my site and I am currently working on escaping data coming from the DB

:mad: GREAT can't even get my issue to work in here. Converts to "'s

Hopefully I can explain clearly.

My DB holds the entity of a quote " ( & # 34 ; )
when echoing to the webpage I am getting the entity and not an actual quote, I want the quote "

I've tried every variation of htmlentities and htmlspecialcharacter, so apparently I am not understanding what they are used for.

I can't believe that this is difficult but have no idea what to do now Please help!

traq

normally, you would have [font=monospace]"[/font] stored in the DB, and you would use [man]htmlentities/man to encode it.

if you have [font=monospace]& #34[/font] stored in your DB, then it's already an html entity - you don't need to escape it at all, unless you want to see [font=monospace]& #34[/font] on your page.

Bonesnap

I would recommend storing the data "raw" in the database and only filtering it when displaying it. In other words, why are quotes being stored as entities?

harkly

Bonesnap;11004855 wrote:
I would recommend storing the data "raw" in the database and only filtering it when displaying it. In other words, why are quotes being stored as entities?

For security.

This is my 1st attempt at adding security and I can tell you I am so confused by all the different information I am getting.

I am attempting to filter the data going into my DB with

filter_var($_POST["tv_shows"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);

And then escaping output.

Reading "PHP Security", plus a few other have told me to do so. However, am I on the right :queasy: I don't know.

I have also converted to $mysqli

Bonesnap

harkly;11004857 wrote:
For security.

This is my 1st attempt at adding security and I can tell you I am so confused by all the different information I am getting.

I am attempting to filter the data going into my DB with
filter_var($_POST["tv_shows"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
And then escaping output.

Reading "PHP Security", plus a few other have told me to do so. However, am I on the right :queasy: I don't know.

I have also converted to $mysqli

For inserting string data into the database you should be using mysql_real_escape_string or mysqli_real_escape_string (or use prepared statements), depending on how you're connecting to your database.

You can store quotes and other characters in your database just fine.