The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
01-28-2010, 09:33 AM
|
|||
|
|||
when to use htmlspecialchars_uni
Sorry if this question sounds stupid...
I am adapting an old hack of mine, for a multilanguage site.. (in utf8) I have title, description and username to put into database (and pull from database and display) In the very old version info was escaped with addslashes($title),addslashes($description),addsla shes($username) and before display: stripspashes($title) etc.. etc... I now would like to do it with : $db->escape_string($title), $db->escape_string($description), $db->escape_string($username) Thats ok.. and I dont need the stripslashes anymore.. BUT... Should I add htmlspecialchars_uni before saving to db? OR after pulling from db? I meen should i do when saving... $db->escape_string(htmlspecialschars_uni($title)), $db->escape_string(htmlspecialschars_uni($description)), $db->escape_string(htmlspecialschars_uni($username)) Or should i only add the htmlspecialschars_uni() only before display.. (not before saving but: $title = htmlspecialschars_uni($title); $description = htmlspecialschars_uni($description); $username = htmlspecialschars_uni($username); I hope you understand what i meen.. F. 
|
|
#2
01-28-2010, 10:11 AM
|
||||
|
||||
|
Slashes are for when the data is stored in mysql, to stop sql injection.
htmlspecialchars_uni is for displaying the data, to stop xss attacks. You should always use escape_string() to add user inputted text to the database, and generally use {vb:var } to display it, as I believe that runs it through htmlspecialschars automatically.
|
|
#3
01-28-2010, 03:11 PM
|
|||
|
|||
|
Thank you for explaining..
So if I understand correctly, I still need the addslashes even if I use escape_string() because in vbulletin i havent seen one single add or stripslashes anymore.... and what confuses me is that sometimes they save textdata: escape_string(htmlspecialchars_uni($data)) and sometimes escape_string($data)
|
|
#4
01-28-2010, 06:10 PM
|
||||
|
||||
|
You dont need addslashes(), escape_string() is its replacement.
As for htmlsp..... its personal choice really, but I would generally store it raw, and clean it on output, especially in vb4 as you can just use vb:var instead of vb:raw.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 04:56 PM.