[WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML

[iced l. <ice...@gm...>]

Currently we have sessions.inc processing all session, post and get vars in
the same way.

We make a big assumption here with DB_escape_string at line 59 and 66 (for
single var and slightly different for arrays):

$_POST[$PostVariableName] = DB_escape_string($PostVariableValue);

This assumes that we know what a function will do with the
post/get/sessions vars and that they are going to be inserted/updated to a
database. They are passed to the DB_escape_string function which returns
(for mysqli):

mysqli_real_escape_string($db, htmlspecialchars($String,
ENT_COMPAT,'utf-8', false));

This is causing exponential slash addition to variables which are not
entered to a database but instead posted to a HTML field value. Each time
the field is updated the value is saved in the database with extra slashes
when escaping a special char like a single quote.

If we do actually need to do this variable processing in sessions.inc then
perhaps we could  decide what is more common  displaying the var or
insert/updating to a db.

If we chose for example that displaying the var on the page is more common
then we should change sessions inc for example on this line:

$_POST[$PostVariableName] = DB_escape_string($PostVariableValue)

to
$_POST[$PostVariableName]= htmlspecialchars($PostArrayValue,
ENT_QUOTES,'UTF-8');

and for this case in DB_escape_string from:

return mysqli_real_escape_string($db, htmlspecialchars($String,
ENT_COMPAT,'utf-8', false));
to

return mysqli_real_escape_string($db, htmlspecialchars_decode($String,
ENT_COMPAT));


Then we need to call DB_escape_string on vars before we send to any insert
or edit for database.

On the other hand - we need to do the opposite if we assume it is more
likely to post to the database.

Perhaps there is another 3rd way to handle it?

Thanks to all in advance for any feedback!!