Member Biographies: Submit via Form to Database

[Bennett 🚀]

Yet, combining addslashes() and mysql_real_escape_string() into one function is a little easier.

[Charles Stover]

There is no reason you would need both of them. Ever.

[Trill]

Any update on this, iPokemon?

[Bennett 🚀]

Jan 13, 2011 9:12:00 GMT -8 Trill said:

Any update on this, iPokemon?

Way to pick up on name change again lol.
I'll see what I can do this weekend.

[Trill]

I'm a ninja with name changes. And thank you!

[Trill]

Bump

[Trill]

[Trill]

Bump

[Bob]

Jan 5, 2011 8:15:41 GMT -8 Bennett 🚀 said:

Yet, combining addslashes() and mysql_real_escape_string() into one function is a little easier.

You should never be using both. In fact, you should be stripping slashes in the event of Magic Quotes being enabled. Failure to strip the preexisting slashes prior to escaping them with mysql_real_escape_string will lead to contaminating the user's input.

[Trill]

Ruh Roh! That doesn't sound good.

*pretends to know what you're talking about*

[Bennett 🚀]

Jan 31, 2011 14:00:37 GMT -8 Bob said:

Jan 5, 2011 8:15:41 GMT -8 Bennett 🚀 said:

Yet, combining addslashes() and mysql_real_escape_string() into one function is a little easier.

You should never be using both. In fact, you should be stripping slashes in the event of Magic Quotes being enabled. Failure to strip the preexisting slashes prior to escaping them with mysql_real_escape_string will lead to contaminating the user's input.


function EscapeString($unescapedString)
{
if (get_magic_quotes_gpc())
{
$unescapedString = stripslashes($unescapedString);
}
$semiEscapedString = addcslashes($unescapedString, "%_");
$escapedString = mysql_real_escape_string($semiEscapedString);
$finalEscapedString = htmlspecialchars($semiEscapedString);

return $finalEscapedString;
}

Is my function.

[Former Member]

I have something similar to iDirectory, though, seeing as how PB doesn't have API to do this, I'm not quite sure. XD Unless you have another forum just for the sake of sign-ups (like phpBB) for users to use on the API. The I might be able to help you. I'm not familiar with phpBB's API though, just another forum service. The real one that knows everything about all this is my own coder who built the SQL Database and PHP for iDirectory. Currently, he's having RL issues, and doesn't want to take on any extra projects. But if you need any help, I might possibly be able to help.

[Trill]

Sorry Nick, I really wouldn't want to have the members sign up at another forum service just to have them submit biographies.
(bump)

[Trill]

I feel like a noob for bumping.

[Charles Stover]

You shouldn't use htmlspecialchars (you should be using htmlentities, btw) when inserting to the database. You only use that when sending the code to the user. htmlentities (and htmlspecialchars) make the text longer, since single-byte characters such as < become multiple bytes such as &lt;.

Say the user is limited to 255 characters of input (tinytext). If they entered 255 < characters, the data would truncate when being inserted into the database, because the htmlspecialchars/htmlentities string will be longer than 255.

Also, escaping magic quotes should be done globally at start instead of in a function. Your function will cause errors if the string being sent as a parameter isn't $_GET, $_POST, or $_COOKIE or if the variable is set mid-program.

e.g.
$_GET["test"] = "ha\\ha"; // set manually
echo EscapeString($_GET["test"]); // haha

e.g.
$myvar = "ha\\ha";
echo EscapeString($myvar); // haha

Your function will remove slashes that are supposed to be there, because it will assume the slashes were caused by magic quotes (which only affect the $_GET, $_COOKIE, and $_POST data that exists at start) instead of added manually.

Therefore, remove slashes at program start, so it doesn't affect variables that don't exist until mid-program.