Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

php safe output

Tags:

php

I'm trying to make a "remember fields" thingy, so if there is one error you won't have to fill in the whole form again. But how can I make the output safe?

Example:

<input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? htmlspecialchars($_POST['email']) : ''; ?>" />

If someone types in " ' " (without the quotes) for example you get:

Warning: mysql_result() expects parameter 1 to be resource, boolean given in C:\wamp\www\pages\register.php on line 55

So then I tried:

<input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? mysql_real_escape_string($_POST['email']) : ''; ?>" />

Then it just adds a lot of //////.

What should I do?

I'm a noob yes. But I thought htmlspecialchars made user input safe?

like image 435
Remy Avatar asked Feb 12 '11 00:02

Remy


1 Answers

It depends on context.

htmlspecialchars() is your friend in HTML.

mysql_real_escape_string() is your friend in MySQL.

Update

You could run all your $_POST through htmlspecialchars() first with this...

$encodedHtmlPost = array_map('htmlspecialchars', $_POST);
like image 143
alex Avatar answered Sep 24 '22 14:09

alex