Explain this...

Now I have Edit Jobs where you can do the same HTML and other SQL
specific stuff in the Job Description, that works with no problems
whatsoever, then I have this Edit Candidate page that is structured
EXACTLY the same, and the Edit Candidate craps out...

Why is that?  One works and the other doesn't?

-----Original Message-----
From: Paul DuBois [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 08, 2002 10:34 AM
To: Todd Williamsen; [EMAIL PROTECTED]
Subject: RE: [PHP-DB] addslashes()

At 10:22 -0600 2/8/02, Todd Williamsen wrote:
>No kidding I see the problem, that is why I am asking how do I solve

By writing a content parser that is intelligent enough to recognize HTML
constructs and pass them through literally, while recognizing when your
people write other stuff containing the same characters that does not
signify HTML.  In other words, a parser that can read their minds.  Good
luck. :-)

Alternatively, tell them to signal special constructs using a syntax
that doesn't overlap HTML so that you can recognize the constructs and
transform them to HTML when you render a Web page.

Alternatively, tell them that if they want to include literal characters
like < or >, they must enter them as &lt; or &gt;.  In this case, you
interpret the text as HTML that's already properly escaped and you
display it as is with no extra conversion.

None of these are particularly attractive.  It's an ugly problem; I
it has no pretty solution.

>I don't need the problem re-explained to me 8)
>-----Original Message-----
>From: Paul DuBois [mailto:[EMAIL PROTECTED]]
>Sent: Friday, February 08, 2002 10:21 AM
>To: Todd Williamsen; [EMAIL PROTECTED]
>Subject: RE: [PHP-DB] addslashes()
>At 10:06 -0600 2/8/02, Todd Williamsen wrote:
>>Sorry for the confusion...
>>I have an application where it organizes candidates for positions for
>>HR.  There is a Notes field where they can update actions with the
>>potential candidate.  Now this can be when this person has been
>>contacted, conversations, or just to say this person is not available,
>I assume by this you mean you have a form-based application through
>which the information is submitted.
>>There may be a point where quotes need to be added to quote a
>>or I wanted to give them the option of adding HTML tags to the field
>>that when someone looks at the person's record, that the HTML will be
>>displayed.  It wasn't just the HTML that was causing problems, but the
>>quotes as well.
>This makes your problem basically intractable.  Sorry.
>If I input: Candidate requires salary < $100K and > $75K
>Then it like kinda like there's a tag there, because of the < and >
>Or if I input: Candidate has a, shall we say, "checkered" past
>Then the value has quotes.
>Now, you want to let people put in something like:
>Candidate has a, shall we say, <font color="red">checkered</font> past.
>Now, you can store any of those values into the database easily.   Just
>use addslashes() to escape the values that are special in SQL.  When
>retrieve the values, you'll get exactly the values as shown above.
>But then what do you do with them?  For the first two instances, you
>need to display the <, > and " characters literally, which you might
>do by converting them to HTML entities (&lt;, &lt;, and &quot;) by
>the strings through htmlspecialchars() before printing them as part of
>Web page.
>But for the third instance, you want to pass those same characters
>through to the browser so that it interprets them as HTML markup.
>How are you going to tell?
>See the problem?
>>If I add..
>>Joe Blow said "blah blah blah"  the query wouldn't execute.  But if I
>>did Joe Blow said, blah blah blah, it works fine.
>>I know HTML isn't as touchy and you can actually do without the
>>ie, <font color=red>BLAH</font> it will still display red font.
>>The weird thing is that I have a Job Posting section and when you
>>or edit an exsisting job and add HTML, it works fine without the
>>addslashes() function, but with the Edit Candidate, it craps out...
>>Weird, both are practically carbon copies of each other, database
>>is both set to "TEXT" and both queries are the same structure.
>>I cannot figure it out
>>If you want the URL to look at it, I will send it to you.
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to