I'm still new to String Processing in PHP. Below is a diagram of what I am currently doing. Ultimately, I would like to get a generic methodology for handling strings in the below scenarios. Note that the text tends to be a lot of math symbols and code syntax in this scenario.

The strings and integer are input via a standard HTML-based form (I forgot to mention that in the diagram).

Step A currently uses: mysql_real_escape_string(input);

Step B currently uses:

  • htmlentities($string2)
  • nothing for $string1
  • nothing for the integer


  1. Regarding MySQL injection, is mysql_real_escape_string sufficient to guard against this?
  2. I still need to finish processing the output for String1. Note how the text is actually used in two different places: HTML and Canvas. htmlentities at step B would make code syntax appear properly on the HTML5 Canvas but not in the HTML. Vice-versa for leaving it out (HTML syntax breaks the Page). Is there a JavaScript function that is identical to PHP's htmlentities?
  3. int form should be validated to make sure it is an int.
  4. String2 ouputs "null" to the HTML when I use this character ('–') which is not the standard minus-sign character ('-').
  5. Magic Quotes is turned off. However, if I run the script on a server with it enabled, I need a short script that goes: IF(magic quotes is enabled){turn off magic quotes}.
  6. What did I forget in regard to form validation?

If my approach is totally wrong, set me straight and help me get this straightened out once and for all. You can describe your solution in terms of A, B, C, D and E if you think that is helpful. Thanks in advance.

String Processing Diagram


1) Keep strings "raw" internally. 2) Escape strings precisely for the appropriate use. Also see here.

Written by Kerrek SB

Accepted Answer

  1. mysql_real_escape_string() will properly escape your code
  2. (A) On the JavaScript end, jQuery's .text() method will properly escape code before outputting it to the page. (B) Check out PHP.js. It's a JavaScript library that replicates PHP functionality, and includes htmlentities() and htmlspecialchars(). http://phpjs.org/
  3. As for the integer, you can use the ctype_digits() function to ensure that it is a numeric value; and you can also use some form of type hinting: $int = (int) $int;.
  4. I agree with the gentleman who recommended trying htmlspecialchars().
  5. Try to keep magic quotes off. It's a horrible feature, and will be removed in a future release of PHP. If you need to include protection against magic quotes, try something similar to the code below. (see bottom of post)
  6. It's hard to say without seeing your code, but it seems like you are on the right track.


if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
    $func = function(&$val, $key) {
        if (!is_numeric($val)) {
            $val = stripslashes($val);

    array_walk_recursive($_GET, $func);
    array_walk_recursive($_POST, $func);
    array_walk_recursive($_COOKIE, $func);

Written by webjawns.com
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki