Is It Possible to Allow "\" with htmlspecialchars() ?

[chaseman]

$asciiart_name = strip_tags(mysqli_real_escape_string($dbc, trim($_POST['asciiart_name'])));
$asciiart_category = strip_tags(mysqli_real_escape_string($dbc, trim($_POST['asciiart_category'])));
$asciiart_contribution = htmlspecialchars($_POST['asciiart_contribution']);
$asciiart_contribution = str_replace("'","''", $asciiart_contribution);

 

Above is my code, with a textarea you can post the data into the $asciiart_contribution variable, BUT you can not post anything including backslash, is there any way to allow this one character?

 

I'd still like the people to not use any html code, but at the same time I want a certain freedom of characters which includes use of backslash.

 

Thanks for all the tips.

[requinix]

I'm guessing the "contribution" is the actual ASCII art itself?

$asciiart_name = strip_tags(trim($_POST["asciiart_name"]);
$asciiart_category = strip_tags(trim($_POST["asciiart_category"]));
$asciiart_contribution = $_POST["asciiart_contribution"]; // don't do anything to it

// eventually you'll put the values into the database
mysqli_query($dbc, sprintf("INSERT INTO table (name, category, contribution) VALUES ('%s', '%s', '%s')",
    mysqli_real_escape_string($dbc, $asciiart_name),
    mysqli_real_escape_string($dbc, $asciiart_category),
    mysqli_real_escape_string($dbc, $asciiart_contribution)));

// and eventually you'll get the values back out again. if you use the same variable names,
echo "Name: ", htmlentities($asciiart_name), "
\n";
echo "Category: ", htmlentities($asciiart_category), "
\n";
echo "", htmlentities($asciiart_contribution), "";

[chaseman]

Thank you a lot man, it works great, and I learned something new!

[fortnox007]

make sure you have the UTF-8 characterset, in either your header or in the third parameter of htmlentities.

Otherwise other character set's are allowed, which may cause trouble:

http://shiflett.org/blog/2005/dec/google-xss-example