This tutorial is showing some functions that you need to use for your inputing form (as text field, text area) because, it is not security to receive string datas and input them directly into your database. Some special characters as ", ' , may be stop your SQL commands or damage your database structure and as the gateway for hackers to hack your website.
' and " are using in PHP structures as open or close string structures.
using in PHP for escape or cross the PHP structure characters behind it. Ex.<? echo "He said "Hello Marry."."; ?> Result : He said "Hello Marry".
• addslashes
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte). Apply this function to your string variables before put them into your database.
Syntax :
string addslashes ( string str )
• stripslashes
Apply this function to your string variables included with "" before output them with echo or print commands. This function using for un-quote string quoted with addslashes(). Returns a string with backslashes stripped off. (' becomes ' and so on.) Double backslashes () are made into a single backslash ().
Syntax :
string addslashes ( string str )
• nl2br
This function using for string variables included with line breaks from text area. Using it for inserts HTML line breaks '<br />' before all newlines in a string.
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application. The optional second argument, quote_style, tells the function what to do with single and double quote characters.
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"'
''' (single quote) becomes '''
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
Tutorial
This tutorial contains 3 files and 1 table in MySQL database.
Create database "tutorial" and table "guestbook" with 5 fields: id(auto_increment), name(varchar, 50), email(varchar, 50), note(longtext), datetime(datetime)
The main page for this tutorial is show.php. First, browse this file and click on "Add New>" link on the top to sign-up a new record at post.html then you submit form, it goes to post.php and re-direct to this file again. The new record you just put will be appear at the first record in this page.
show.php
Show data records using: - stripslashes();
- nl2br();
- htmlspecialchars();
Re-direct
link
post.php
Receive parameters and put into database, using: - addslashes();
Submit
post.html
HTML file with a form.
Summary:
You need to use addslashes(); function every time for string variables before you put it into your database like this;
Ex.
$a="String from in-put Form Fields as text fields or text areas";
addslashes($a);
mysql_query("insert into table(a) values('$a') <== Put it to your database.
Use stripslashes();, nl2br(); and htmlspecialchars(); for out-put string data from your database.
Ex.
$a="String values from your database";
echo nl2br(stripslashes(htmlspecialchars($a))); <== Use 3 functions in 1 line.
link
Input - Output String Functions