The answer to my question is probably simple and has probably been answered a million times, but when I searched, I wasnt able to find it. I have a form which onsubmit gets sent to a server side php program to deal with it. Now, when a user types a single quote ( ' ) or a double quote ( " ), the end result is displayed as /' or /" . I find it slightly annoying to go in and fix after it's been published to a blog or sent as an email. I believe it is changed when it is passed to the php script. What is the best way to deal with this? Do I use a search and replace function in PHP or do is there a way to pass it without this happening? Please Advise, focus3
As a related tip, if you're going to store a value you got from the user (via GET or POST) in an SQL database, be sure to perform the opposite operation addslashes or mysql_escape_string on it first, to prevent introducing SQL injection vulnerabilities. The most common security hole and easiest to both introduce and prevent...
stripslashes still trips me up sometimes and I only notice when the output is displayed with a bunch of '/ .
If you use Smarty or any similar template engine you can register stripslashes as an output filter once for the whole site
Do yourself a a favor and make sure magic_quotes is turned off via .htaccess or php.ini. It will end up confusing you because sometimes you don't have problems with quotes and sometimes you do. Take care of all your slashing manually with StripSlashes and AddSlashes or build your own function if you have other input/output filtering needs.