开发者

Using nl2br and mysql_real_escape_string at same time

问答 作者:

Whats the correct way to use nl2br in the following way.

I have post data that comes from a text area input 

        $data = $_POST;
        $escaped_data = array();
        foreach ($data as $key => $val) {
            $escaped_data[$ke开发者_运维百科y] = mysql_real_escape_string($val);
        }
        $desc = $escaped_data[description];
        $desc = nl2br($desc);

Actually, the correct way to use nl2br() is not to use it at all when you store your data - it's when you read from the database and are about to output it to the client. Data should not be formatted when insterted to the database, what if you later on want to create a REST-service and you really needed those newlines instead of a HTML-element?

Generally speaking, if you wish to add a string to your SQL query, you should escape it immediately before adding it to your SQL query.

I assume that you want to escape all your data at the start of your PHP script, so that you will not have to worry about escaping.

Escaping string for SQL queries shouldn't be included there because that's a bad design method:

  1. What happens when you add the escaped string to an input element of an HTML form? The original client's string will be modified.
  2. It's an inconvenient or problematic way to use prepared statements with the already escaped data.

I think that the following code should be used:

function init_filter_input($method_array /* $_GET, $_POST, or whatever you wish */ )
{
    filter_UTF8($method_array); // for a UTF8 encoded string
    filter_HTML($method_array);
}

function filter_UTF8($mixed)
{
    return is_array($mixed)
        ? array_map('filter_UTF8',$mixed)
        : iconv('UTF-8','UTF-8//IGNORE',$mixed);
}   

function filter_HTML($mixed)
{
    return is_array($mixed)
        ? array_map('filter_HTML',$mixed)
        : htmlspecialchars(trim($value),ENT_QUOTES);
}

When you want to add a string to your SQL query, you may decide to use prepared statements, or sprintf:

// sprintf example:

query('SELECT ... WHERE username="%s"', $unescaped_username);

function query($query_str, $params)
{
    if (is_array($params))
    {
        $params = array_map('filter_SQL', $params);
        $query_str = vsprintf($queryStr, $params);
    }
    else
        $query_str = sprintf($query_str ,filter_SQL($params));

    mysql_query($query_str);
}

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9