jwocky
06-09-2009, 09:45 PM
So I have a user inputted string ==>
i'm going to hack your table '; SELECT
I want to safely enter that string into my database, so using the advice I found here, I used the vb input cleaner (using TYPE_NOHTML) on the string and then also run the $db->escape_string function prior to inputted the variable into the database. I do this and all goes well.
But when I try to pull the data from the database at a later point and echo the string back out I get this as my result ==>
i\'m going to hack your table \'; SELECT
So it seems the \ are still in the string inside the databse. Is this normal? Should I not be running $db->escape_string on the string after doing a TYPE_NOHTML on the string. Is there anyway to remove the \'s correctly when re-displaying the strings?
Thanks for any guidance on this!
i'm going to hack your table '; SELECT
I want to safely enter that string into my database, so using the advice I found here, I used the vb input cleaner (using TYPE_NOHTML) on the string and then also run the $db->escape_string function prior to inputted the variable into the database. I do this and all goes well.
But when I try to pull the data from the database at a later point and echo the string back out I get this as my result ==>
i\'m going to hack your table \'; SELECT
So it seems the \ are still in the string inside the databse. Is this normal? Should I not be running $db->escape_string on the string after doing a TYPE_NOHTML on the string. Is there anyway to remove the \'s correctly when re-displaying the strings?
Thanks for any guidance on this!