If I have this code: $query = mysql_query("SELECT`choice`,`name` FROM `survey` "); while($index = mysql_fetch_array($query)) { $choice= $index['choice']; $name= $index['name']; echo $choice; echo $name; } PHP: Than I need to add "htmlspecialchars" here: $choice= htmlspecialchars($index['choice']); $name= htmlspecialchars($index['name']); echo $choice; echo $name; (variable "choise" was add into the DB by some user with some form) Can I just do htmlspecialchars($index) and than - $choice= $index['choice']; ?
If I don't have variable "$index", it won't do anything, right? so I can put this code in the top of every page...?
$index = array_map('htmlspecialchars', $index); PHP: That would apply the htmlspecialchars function to every value within the $index array...place that line under the while($index...)..
well, In my website $index is the variable (array) that always hold the data for print to screen (echo), so I think its OK to always have $index = array_map('htmlspecialchars', $index); PHP: at the top of every page. If in specific page there is no printing to the screen so there will be no variable $index, and the code $index = array_map('htmlspecialchars', $index); PHP: won't do anything...
If you just want $choice and $name to be converted into entities...do the following: $query = mysql_query("SELECT `choice`, `name` FROM `survey`"); while($index = mysql_fetch_array($query)) { $choice = htmlspecialchars($index['choice']); $name = htmlspecialchars($index['name']); echo $choice; echo $name; } PHP: or if you want the whole array to be do the following: $query = mysql_query("SELECT `choice`, `name` FROM `survey`"); while($index = mysql_fetch_array($query)) { $index = array_map('htmlspecialchars', $index); $choice= $index['choice']; $name= $index['name']; echo $choice; echo $name; } PHP:
One more thing - when I'm using "mysql_real_escape_string" to escapre data before insert it into the DB, the code replace the nore ' to \' well, it's problem when my users write words like: Mike's phone ... What can I do to avoid that?
It should do; it has to be used when you get the data from the database and output. You could try str_replace(); also which can replace any character in a string.