How to safely accept quotation mark and output safely

how can I display name that include quotation like La’ Place… I sanitize the input before I insert them into the database and when I output it display La#39Place, how can I make it display back La’Place…

Sanitizing shouldn’t change the value - anything that changes the value isn’t sanitizing. The exact value as input should be stored in the database and so be available to be retrieved.

If you use PDO bindParam or mysqi bind_param then you don’t need to worry about escaping apostrophes.

Sanitizing and escaping are not the same thing (although it does look like the OP has mixed up the two)

Sanitizing is an input process to remove invalid characters.

Escaping is an output function to ensure valid characters in the data don’t get mistaken for code. Escaping is only necessary when there is no way to keep the data and code separate (and Drummin has advised how to keep them separate in SQL)

I suppose my poor use of terms comes from the old days with mysql_real_escape_string where it would add the slash before an apostrophe. ' In any case, regardless of term you are better of binding input being sent to database.

@felgall this is what I do before i insert the value into database and I add magic quotes at the top of the page

$bname= filter_var($_POST['bizname'], FILTER_SANITIZE_STRING);

so using PDO bindParam as @Drummin mention I do not need to use the filer_var() function and the magic quotes?

You should be sanitizing when you first read fields in, not waiting until you are ready to write to the database. Sanitizing should test for what can validly be in the field and strip out anything that is not valid. If quotes are valid then sanitizing shouldn’t touch them.

I thought they got rid of magic quotes from PHP because it causes far more problems than it solves.

You don’t need filter_var to insert data with apostrophes into database. PDO handles this with proper escaping.
But you still need filter_var (or any other sanitizing solution) if you want to strip bad characters from your data (for example, remove letters from phone numbers).

Provided you use bind you don’t even need escaping.

Sure, that is what I meant, PDO deals with apostrophes for you.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.