Quote:
stefan88 wrotes:
Well, I have an edit field, where user enters url.
I do " $myts->addSlashes..." before saving into database and "$myts->htmlSpecialChars..." before display.
Is that ok and what else should I do?
- "user enters url"
You should know some URL's from javascript : or about :
- $myts->addSlashes
You should know $myts->addSlashes behave curiously.
Under the environment magic_quotes_gpc=on, it never escapes slashes.
POST,GET -> ($myts->stripSlashes) -> raw data
raw data -> (addslashes or mysql_*_escape instead of $myts->addSlashes) -> string for MySQL
This is the right way.