Sign in to follow this  
Prozak

[web] PHP: Dealing with special characters

Recommended Posts

Prozak    898
I'm using PHP and I need to parse the text a user has inserted into a multi-line editbox, so that it doesn't contain html code, or potentially insecure mySQL code. For now I'm using this code, in this example it converts a quote character into it's html code:
Quote:
$text = ereg_replace( '\\\"', """, $text );
Any ideas?

Share this post


Link to post
Share on other sites
benryves    1999
If you just want to remove HTML (that is, convert HTML to plaintext) see strip_tags().

To keep queries safe, I wrote a wrapper class to query the database, like this:

$db->query(
"SELECT COUNT(*) AS `c` FROM `users` WHERE `username`='{0}' AND `password`=MD5('{1}')",
$username, $password
);

Share this post


Link to post
Share on other sites
Sander    1332
Cool. Care to post the code?

I have something similar but for insert/update statements:


$ary = array(
'field_1' => 'value_1',
'field_2' => 'value_2',
'field_3' => 'value_3'
);

$sql = $db->sql_build_array('INSERT', $ary);
// returns properly escaped "(field_1, field_2, field_3) VALUES ('value_1', 'value_2', 'value_3')"

$sql = $db->sql_build_array('UPDATE", $ary);
// returns properly escaped "field_1='value_1', field_2='value_2', field_3='value_3'"

$db->sql_query("UPDATE table SET $sql WHERE <something>");

Share this post


Link to post
Share on other sites
ToohrVyk    1596
Quote:
Original post by benryves
If you just want to remove HTML (that is, convert HTML to plaintext) see strip_tags().

To keep queries safe, I wrote a wrapper class to query the database, like this:

$db->query(
"SELECT COUNT(*) AS `c` FROM `users` WHERE `username`='{0}' AND `password`=MD5('{1}')",
$username, $password
);


I second the suggestion for query wrappers. My wrapper looks like this:


define ('TABLE_USER','users');
define ('USER_C','users.c');
define ('USER_NAME','users.username');
define ('USER_PASS','users.password');

$req = new Request(
"SELECT COUNT(*) as `{!USER_C}` ".
"FROM `{!TABLE_USER}` ".
"WHERE `{!USER_NAME}` = '{name}' ".
"AND `{!USER_TABLE}` = '{pass}'");

$req->Args(
'name' => $username,
'pass' => md5($password)
);

$result = $req->Execute();

Share this post


Link to post
Share on other sites
benryves    1999
It's not exactly the world's best code (especially the 999 hack). My regex-fu is somewhat lacking. (The advantage is, of course, that when someone points out the big gaping flaw in it, I only need to fix it in one place)...

function escape_query() { 
$args = func_get_args();
if (count($args) == 1 && is_array($args[0])) $args = $args[0];
if (count($args) > 1) {
preg_match_all('/(.*?){(\d*?)}(.*?)/ms', $args[0] . '{999}', $split_args);

$args[0] = ''; # Two ' ' here, forum eats it.
$result_count = count($split_args[0]);
for ($i = 0; $i < $result_count; ++$i) {
$args[0] .= $split_args[1][$i];
if ($i != $result_count - 1) {
$args[0] .= mysql_escape_string($args[$split_args[2][$i] + 1]);
}
}

}
return $args[0];
}



function query() {

$sql = $this->escape_query(func_get_args());

$this->result = mysql_query($sql, $this->link);

# ... snip ...
}

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this