My brain is fried after coding for 12 hours and i'm so tired... I'm using $db->escape_string() on a var after cleaning with the input cleaner class (TYPE_STR). All nasties are escaped as they should be to prevent maliciousness, etc... Problem I am having is when calling the data, it displays as follows:

Posted the banner on my myspace profile. Also posted their video on my blog, etc...\r\n\r\nOh yes i did.\r\n\r\nThat\'s what I\'m talking about. "oh yeah" i said

I can get rid of the slashes with stripslashes() however it leaves the rnrn stuff in there...

How can i clean it nicely for display? It's just text so i don't want to parse it wiht the bbcode parser unless i have to.

I also noticed that vb uses (TYPE_NOHTML) to "make safe" the data in profile fields since " becomes &quot (for instance). Is this sufficient for protecting against SQL injection?


Thanks

That's what the escaped version looks like... you shouldn't be displaying it, you should be using it in a query. :p

SQL injection and XSS are completely different things. If you use escape_string, then it is safe from injection. If you allow users to enter data that will be displayed, then you have to use TYPE_NOHTML (or the function) when either cleaning it (and inserting into DB) OR when displaying it.

Ah! Okie, it's all starting to make sense. I've been working on a rather large modification and everythign works, however I'm just learning how to make everything safe against attacks, etc...

\r and \n are line breaks. You should run nl2br() on the string.