Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Aug 2005
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question urlencode()/urldecode()

    Guys,

    I have a question regarding the urlencode/decode functions.

    I have a page that allows users to submit a text block. I am encoding this before instering into the database. Then, when displaying back onto the page, i am decoding.

    The problem I am having specifically (although I'm sure it will affect other characters) is with the ' character. If I add "don't", when decoding out, it reads "don\'t".

    Is there a built-in funciton to correct these (or an alternative to urlencode/decode) or do I need to create my own clean-up function?

    Thanks,
    C.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i don't realy see what escaping the quote has to do with urlencode() ...

    i think you're looking for addslashes(), stripslashes() and possibly mysql_real_escape_string(). you migt also wanna check out get_magic_quotes_gpc()
    Take a look at example 3 at http://uk.php.net/manual/en/function...ape-string.php

    you can find more info on the other functions by following the 'see also' links on that page.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,611
    Thanks
    0
    Thanked 645 Times in 635 Posts
    Predefined function: stripslashes()
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #4
    New Coder
    Join Date
    Aug 2005
    Posts
    21
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The stripslashes() works great thanks.

    I'm also using the mysql_real_escape_string() for all my database calls now - is this sufficient to prevent against sql injections or do you guys recommend further measures?

    C.

  • #5
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i wouldn't rely only on escaping the 'bad' characters.

    the general rule is that you check all input from the user as soon a possible. Doesn't realy matter if you are gonna use it in a query or not...
    so all data the user posts and all querystring and cookievalues should be tested on their valueformat (if you expect a numerical value, then check if it is indeed a numerical, if you expect a text of maximum 10 characters, then check that it isn't longer, if you expect a value from a limited list of option, then check if the received value is part of that list etc).

    also: limit the risk of having your mysql-accountdata exposed by for instance storing your connectioncode in a page that is stored above the webroot. you then include this page when you need to open a connection.
    and limit the possible consequences of an sql-injection by only giving the mysql-account that you use for PHP the strict minimum of permissions that it needs.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •