[nycphp-talk] un-escape db content using php or ADOdb functions
Rob Marscher
rmarscher at beaffinitive.com
Wed May 2 13:26:22 EDT 2012
On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote:
> Now, I'm wondering if the DB specific escape functions really give
> additional values respect to addslashes.
Chris Shiflett's article from 2006 had the best argument I've seen on why addslashes is not enough to secure your code.
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
Keep a copy of your unescaped data. Escape it for inserting into the database. Then take the original unescaped data and do what else you need with it. If you're ouputting to html, you need to run something like the following on each variable you output:
echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8');
More information about the talk
mailing list