escaping

I am a newbie, just to be clear. I hear a lot about escaping data to prevent XSS attacks. How do I actually do that? This is what I am doing currently - $s = mysqli_real_escape_string($connect,$_POST['name'])); Is this enough? Thanks SuperSpy If you output the data to html you should use htmlspecialchars() else, if you're storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers/operators by whitelist-based filtering whem. Both these methods are all you need if you use them the

I have a question, is there a way to "force" repr() to create always single quotes around a string? This happens when I only use repr() print repr("test") 'test' print repr("test'") "test'" print repr("test\"") 'test"' print repr("test'\"") 'test\'"' so the last one actually does, what I want, but I don't want to add always \\" to get the single quotes. Edit: I am not going to mark an answer as accepted since, as pointed out by @martijn-pieters, I was using repr() for purposes it is not intended for. Well, if your object is always a string you could do this: def repr_single(s): return "'" +

Here's the date. Everything is being escaped but the t in "\a\t". Anybody know why? date("M m\, Y \a\t g\:ia", $s->post_date); "\t" is a escape sequence for the horizontal tab character. Use '\t' or "\\t" Single-quoted strings interpret \ literally, which I'd recommend for your use case. Otherwise you have to escape the \ character to have it interpreted literally. In PHP's case, the \ preceding an invalid escape sequence inside a double-quoted string also gets interpreted literally. I'd rather avoid this behavior, following the principle of least surprise. ps. (thanks to @IMSoP) There are two

I do not understand this MySQL behaviour : if I want to display a\b, I can just select "a\\b" which work without problem : mysql> select "a\\b"; +-----+ | a\b | +-----+ | a\b | +-----+ 1 row in set (0.05 sec) But if I wnat to search a string containing a \ in a table using LIKE, I need to double-escape my "\". Why ? Here is an example. We prepare a small table. create table test ( test varchar(255) ); insert into test values ( "a\\b" ) , ( "a\\b\\c" ) , ( "abcd" ); mysql> select * from test; +-------+ | test | +-------+ | a\b | | a\b\c | | abcd | +-------+ 3 rows in set (0.05 sec) We try to

I need to escape a double quote in inline c# within javascript. Code is below: if ("<%= TempData["Message"]%>" == "") { // code }; Normally, I would just use single quotes like so: if ('<%= TempData["Message"]%>' == "") { // code }; However, TempData["Message"] has single quotes within it (when it contains a link generated by the Html.ActionLink() helper in ASP.NET MVC). So while I could change all the ActionLink helpers inside TempData["Message"] to tags, it's an interesting problem and would been keen to hear if anyone has an answer. Call HttpUtility.JavaScriptStringEncode . This method is

In my web app, users can input text data. This data can be shown to other users, and the original author can also go back and edit their data. I'm looking for the correct way to safely escape this data. I'm only sql sanitizing on the way in, so everything is stored as it reads. Let's say I have "déjà vu" in the database. Or, to be more extreme, a <script> tag. It is possible that this may be valid, and not even maliciously intended, input. I'm using htmlentities() on the way out to make sure everything is escaped. The problem is that html and input fields treat things differently. I want to