Common escape syntax includes prefixing a backslash to special
characters and duplicating special characters. Ensure that you use the
correct escape syntax for the system with which your data interacts.
Encoding data is the act of changing data from one format to another; this is always a
lossless transition. The encoding that we examine is the encoding of special XHTML
characters. This is of particular use when dealing with data that we want to display
in a RAW state in an XHTML page and when storing data in XML.
Escaping and Quoting Database Data
If we use un-escaped data when interacting with a database, we can inadvertently
alter the meaning of a query. Imagine we have a database table #__test containing
two fields, id, a numeric ID field, and content, a text field. This is how we might
choose to build our update query.
$db =& JFactory::getDBO();
$query = false;
if( $id = JRequest::getVar('id', 0, 'GET', 'INT') )
{
$data = JRequest::getVar('content', 0, 'GET', 'STRING',
JREQUEST_ALLOWRAW);
$query = " UPDATE ".
Pages:
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436