Jump to content
  • Advertisement
Sign in to follow this  
Prozak

[web] PHP: Dealing with special characters

This topic is 4114 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I'm using PHP and I need to parse the text a user has inserted into a multi-line editbox, so that it doesn't contain html code, or potentially insecure mySQL code. For now I'm using this code, in this example it converts a quote character into it's html code:
Quote:
$text = ereg_replace( '\\\"', """, $text );
Any ideas?

Share this post


Link to post
Share on other sites
Advertisement
If you just want to remove HTML (that is, convert HTML to plaintext) see strip_tags().

To keep queries safe, I wrote a wrapper class to query the database, like this:

$db->query(
"SELECT COUNT(*) AS `c` FROM `users` WHERE `username`='{0}' AND `password`=MD5('{1}')",
$username, $password
);

Share this post


Link to post
Share on other sites
Cool. Care to post the code?

I have something similar but for insert/update statements:


$ary = array(
'field_1' => 'value_1',
'field_2' => 'value_2',
'field_3' => 'value_3'
);

$sql = $db->sql_build_array('INSERT', $ary);
// returns properly escaped "(field_1, field_2, field_3) VALUES ('value_1', 'value_2', 'value_3')"

$sql = $db->sql_build_array('UPDATE", $ary);
// returns properly escaped "field_1='value_1', field_2='value_2', field_3='value_3'"

$db->sql_query("UPDATE table SET $sql WHERE <something>");

Share this post


Link to post
Share on other sites
Quote:
Original post by benryves
If you just want to remove HTML (that is, convert HTML to plaintext) see strip_tags().

To keep queries safe, I wrote a wrapper class to query the database, like this:

$db->query(
"SELECT COUNT(*) AS `c` FROM `users` WHERE `username`='{0}' AND `password`=MD5('{1}')",
$username, $password
);


I second the suggestion for query wrappers. My wrapper looks like this:


define ('TABLE_USER','users');
define ('USER_C','users.c');
define ('USER_NAME','users.username');
define ('USER_PASS','users.password');

$req = new Request(
"SELECT COUNT(*) as `{!USER_C}` ".
"FROM `{!TABLE_USER}` ".
"WHERE `{!USER_NAME}` = '{name}' ".
"AND `{!USER_TABLE}` = '{pass}'");

$req->Args(
'name' => $username,
'pass' => md5($password)
);

$result = $req->Execute();

Share this post


Link to post
Share on other sites
It's not exactly the world's best code (especially the 999 hack). My regex-fu is somewhat lacking. (The advantage is, of course, that when someone points out the big gaping flaw in it, I only need to fix it in one place)...

function escape_query() { 
$args = func_get_args();
if (count($args) == 1 && is_array($args[0])) $args = $args[0];
if (count($args) > 1) {
preg_match_all('/(.*?){(\d*?)}(.*?)/ms', $args[0] . '{999}', $split_args);

$args[0] = ''; # Two ' ' here, forum eats it.
$result_count = count($split_args[0]);
for ($i = 0; $i < $result_count; ++$i) {
$args[0] .= $split_args[1][$i];
if ($i != $result_count - 1) {
$args[0] .= mysql_escape_string($args[$split_args[2][$i] + 1]);
}
}

}
return $args[0];
}



function query() {

$sql = $this->escape_query(func_get_args());

$this->result = mysql_query($sql, $this->link);

# ... snip ...
}

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!