htmlspecialchars_uni missing single quote [Archive]

View Full Version : htmlspecialchars_uni missing single quote

Gizmo99

04-05-2010, 08:26 AM

Morning

bit of a sqiffy one for you

I use

$vbulletin->input->clean_array_gpc('p', array(
'mileage' => TYPE_NOHTML
));

BUT

mileage =70'000 is allowed through ???????? and hence a sql error ?????

Giz

Marco van Herwaarden

04-09-2010, 10:12 AM

TYPE_NOHTML does not do a html_specialchars_uni IIRC. :confused:

Gizmo99

04-09-2010, 07:59 PM

emmm not good then :(

Marco van Herwaarden

04-12-2010, 09:23 AM

Why not good? It is an input cleaner class, not an output cleaner.

You should always (as close to the query in which you will be using it) prepair non-numeric data for use in MySQL.