Home/ Questions/Q 6091619
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T12:20:56+00:00

I’m still new to String Processing in PHP. Below is a diagram of what

  • 0

I’m still new to String Processing in PHP. Below is a diagram of what I am currently doing. Ultimately, I would like to get a generic methodology for handling strings in the below scenarios. Note that the text tends to be a lot of math symbols and code syntax in this scenario.

The strings and integer are input via a standard HTML-based form (I forgot to mention that in the diagram).

Step A currently uses: mysql_real_escape_string(input);

Step B currently uses:

  • htmlentities($string2)
  • nothing for $string1
  • nothing for the integer

Questions:

  1. Regarding MySQL injection, is mysql_real_escape_string sufficient to guard against this?
  2. I still need to finish processing the output for String1. Note how the text is actually used in two different places: HTML and Canvas. htmlentities at step B would make code syntax appear properly on the HTML5 Canvas but not in the HTML. Vice-versa for leaving it out (HTML syntax breaks the Page). Is there a JavaScript function that is identical to PHP’s htmlentities?
  3. int form should be validated to make sure it is an int.
  4. String2 ouputs “null” to the HTML when I use this character (‘–’) which is not the standard minus-sign character (‘-‘).
  5. Magic Quotes is turned off. However, if I run the script on a server with it enabled, I need a short script that goes: IF(magic quotes is enabled){turn off magic quotes}.
  6. What did I forget in regard to form validation?

If my approach is totally wrong, set me straight and help me get this straightened out once and for all. You can describe your solution in terms of A, B, C, D and E if you think that is helpful. Thanks in advance.

String Processing Diagram

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. mysql_real_escape_string() will properly escape your code
    2. (A) On the JavaScript end, jQuery’s .text() method will properly escape code before outputting it to the page. (B) Check out PHP.js. It’s a JavaScript library that replicates PHP functionality, and includes htmlentities() and htmlspecialchars(). http://phpjs.org/
    3. As for the integer, you can use the ctype_digits() function to ensure that it is a numeric value; and you can also use some form of type hinting: $int = (int) $int;.
    4. I agree with the gentleman who recommended trying htmlspecialchars().
    5. Try to keep magic quotes off. It’s a horrible feature, and will be removed in a future release of PHP. If you need to include protection against magic quotes, try something similar to the code below. (see bottom of post)
    6. It’s hard to say without seeing your code, but it seems like you are on the right track.

    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    $func = function(&$val, $key) {
        if (!is_numeric($val)) {
            $val = stripslashes($val);
        }
    };

    array_walk_recursive($_GET, $func);
    array_walk_recursive($_POST, $func);
    array_walk_recursive($_COOKIE, $func);

    unset($func);
}
    • 0