Message sanitization & mysql compatibility

Hello,

Im quite fresh to web dev & php, but I’m working on some youtube app. I’ve run into problems with people posting messages, because the bugs are endless.

So I came to conclusion I need to sanitize messages to be MySQL and YouTube compatible.

I tried solving mysql problem by:

$title = mysql_real_escape_string($title);
$body = mysql_real_escape_string($body);

But the problem is, it works, but not very well. When user re-saves “sanitized” message, it gets sanitized again, so this happens.

Before 1:

I’m fine

After:

I\'m fine

After:

I\\\'m fine

So I guess I need to reverse this on client end. Or what?

Also, how would I make message YouTube compatible. I get all sorts of Zend Exceptions on validation when messages contain characters like >>> and # and I don’t know really which cause which exceptions.

Please help.

guido that code didn’t work, but rather made script crash. I have VPS with WHM/Cpanel, but I can’t find any magic quotes module enabled.

Anyway, I did remember of htmlentities() so I tried it, and it seems to work OK.

Now I use mysql_real_escape_string() before mysql requests, so if there is no reverse, why doesn’t than mysql output normal again?

Also for YouTube I want to allow letters, numbers and ,:;.()?/& thats all. Any filtering ideas?

You have to use mysql_real_escape_string before using user inputted string data in a query. Not before displaying it.

If you use it the right way, and it still shows these back-slashes, “magic quotes” are probably enabled on your hosting server. You can check this by echoing the form value inserted by the user before doing any sanitizing. If you wrote “I’m fine”, and it displays “I\'m fine”, magic quotes are on. If so, ask your host if they can switch it off, or ask them how you can switch it off. If that isn’t possible, you’ll have to sanitize the user input by passing it through a function like this:


  function checkinput ($value) {
    if (get_magic_quotes_gpc()) {
      return stripslashes($value);
    }
    else {
      return $value;
    }
  }