Justin French wrote:
My first reaction (after years of PHP scripting) was to escape it with a slash:
<input type='text' name='surname' value='O\'Riley' /> -- doesn't work.
Adding to this - try htmlspecialchars() in PHP with ENT_QUOTES set - this will special character all the XML reserved entities for you. For storage in a data store this is more preferable as you don't have to worry about escaping quotes in SQL statements etc.
Pushing into PHP land a bit further, you can strstr() the input value to ensure you don't "double special" the ampersand if that's already been added e.g ending up with &#039; .
HTH James
*****************************************************
The discussion list for http://webstandardsgroup.org/
See http://webstandardsgroup.org/mail/guidelines.cfm
for some hints on posting to the list & getting help
*****************************************************