0

Sorry if this question has somewhat been answered, but everywhere I look answers seems to change..

I'm really not 100% sure of how to deal with data into and from a db.

For instance: A UTF8 mysql database and a form that takes user input.

When dealing with the post - should I htmlspecialchars('data',ENT_QUOTES) to the data before it's saved to the database or do I just save it raw.. the data will most likely contain umlouts and the like of special chars. so if no sanitization is done I assume < and > and all types of quotes would be stored exactly as they are.

Also do I need to addslashes or mysql_real_escape_string before saving.

OR should all this stuff be done on the output and just use filtering for input, I use zend so I have filters added to most elements.

Not sure its relevant magic_quotes but are off.

EDIT 2:

I believe my queries use prepared statements ->where('fqha.form_question_has_answer_form_id = ?', $result[$input->formpage]['form_id'])

So does this mean I can ignore any further manipulation to data and just save what the post vars contain. Only worrying about sanitizing for output to the page?

EDIT:

I'm using doctrine 1.2 and from what I can tell this is pdo.. but regarding this and the above question any advice would be greatly appreciated

protected function _initDoctrine()
    {
        require_once 'Doctrine/Doctrine.php';
        require_once 'Doctrine/Overloadable.php';
        require_once 'Doctrine/Connection/Profiler.php';

        $this->getApplication()  
             ->getAutoloader()   
             ->pushAutoloader(array('Doctrine', 'autoload'), 'Doctrine');

        $manager = Doctrine_Manager::getInstance();
        $manager->setAttribute(  
            Doctrine::ATTR_MODEL_LOADING,   
            Doctrine::MODEL_LOADING_CONSERVATIVE
        );

        $cacheDriver = new Doctrine_Cache_Apc();

        $config = $this->getOption('doctrine'); 
        $conn = Doctrine_Manager::connection('mysql://user:pass@localhost/db_name', 'doctrine'); 
        $conn->setAttribute(Doctrine_Core::ATTR_QUERY_CACHE, $cacheDriver);
        $conn->setCharset('utf8');
        $conn->exec('SET NAMES utf8');

        $profiler = new Imind_Profiler_Doctrine_Firebug();
        $conn->setListener($profiler);

        return $conn;
    }
mr12086
  • 1,108
  • 12
  • 29
  • 5
    This question pops 10 times a day, and answer is always the same - use PDO, forget about addslashes or mysql_real_escape_string. – N.B. Apr 27 '12 at 09:20
  • Databases have nothing to do with HTML. Don't apply a function that's called html_anything to something that's not HTML. – Álvaro González Apr 27 '12 at 09:32
  • 2
    possible duplicate of [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) – Álvaro González Apr 27 '12 at 09:33
  • Don't you get anything similar when you finished typing the title of your question? – Andreas Wong Apr 27 '12 at 09:40
  • 1
    Yes, I do get SIMILAR questions, but not a single one of them seems to answer whether doing anything to the data before insertion is correct, some hint at it but none are solid one way or another... You know 4 comments made and yet none of you have attempted to answer my actual question. Why comment at all if you don't plan on leaving a constructive answer.. – mr12086 Apr 27 '12 at 09:49

0 Answers0