From: "matthew perry" <[EMAIL PROTECTED]>

> Actually I think the problem is before you can use either addslashes or
> mysql_escape_string() functions.  The value with " or ' never reaches
> the database.  I think I need a way to ignore quotes for input values in
> HTML.
>
> Say I have this:
> <input type="text" size = "2" name="Q">
> And my user enters:    2 " copper tubing
> The value for "Q" will be: 2

No, the value of $Q will still be 2 " copper tubing, but if you tried to
show that value inside of a text box again, you'd lose everything after the
second quote, because you end up with this:

<input type="text" size="2" name="Q" value="2 " copper tubing">

HTML interprets the value as "2 " and the rest of the value as an
unrecognized attribute.

The solution is to run htmlentities() on the value to convert double quotes
into &quot; so you end up with

<input type="text" size="2" name="Q" value="2 &quot; copper tubing">

Which will appear correctly to the user.

Note that if you deal with text that's going to be shown on HTML pages,
running the text through htmlentities($value,ENT_QUOTES) will prevent the
text from being used for cross site scripting and SQL injection.

---John Holmes...

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to