I need to escape this:
As in the following str_replace:
[CODE]
$_SESSION[‘value_array’] = str_replace(“”,” “,$_SESSION[‘value_array’]);
$_SESSION[‘value_array’] = str_replace(“n”,”
“,$_SESSION[‘value_array’]); /* I want this to start a new line */
$_SESSION[‘value_array’] = str_replace(“r”,”
“,$_SESSION[‘value_array’]); /* I want this to start a new line as well */
…that is unless you guys know a solution to the following issue instead.
So I’m trying to secure my site with mysql_real_escape_string().
This function:
[code=php]
function value($field){
if(array_key_exists($field,$this->values)){
return htmlspecialchars(stripslashes($this->values[$field]));
}else{
return “”;
}
}
…is a bottleneck for all user-submitted data, which I believe makes it the ideal location for mysql_real_escape_string() instead of adding it to each database query.
So I did this:
[code=php]
function value($field){
if(array_key_exists($field,$this->values)){
return mysql_real_escape_string(htmlspecialchars(stripslashes($this->values[$field])));
}else{
return “”;
}
}
…this works fine unless there’s an error in the form.
In the event of an error in the form (illegal characters used, CATCHA code not entered, etc) the form’s (action) “process page” sends the user back to the form to correct the errors. [B]Prior[B]line breaks are preserved as well[B]after
So in a textarea (for user-submitted CSS) [B]prior
[CODE]
.namespace{
padding-bottom:10px;
}
And the same textarea value [B]after
[CODE]
.namespace{rnpadding-bottom:10px;rn}
So, just to be thorough in defining the issue, here’s the code in the form’s process page that sends the user back to the form to correct errors.
[code=php]
function procEditAccount(){
global $session, $form;
/* Account edit attempt */
$retval = $session->editAccount($_POST[‘curpass’], $_POST[‘newpass’], $_POST[’email’], $_POST[‘style’], $_POST[‘html’], $_POST[‘avatar’], $_POST[‘security_code’]);
/* Account edit successful */
if($retval){
$_SESSION[‘useredit’] = true;
header(“Location: “.$session->referrer);
}
/* Error found with form */
else{
$_SESSION[‘value_array’] = $_POST;
/* Here’s where I’d put my str_replace per the example above if I can escape the “” */
$_SESSION[‘error_array’] = $form->getErrorArray();
header(“Location: “.$session->referrer);
}
}
I’m betting there’s a better way to do this, but this is the best solution I’ve come up with so far. Any other ideas? Regardless, I’d like to know how to escape the as I’m sure this kind of thing will come up somewhere else in my script. Thanks for you time.