2009/4/9 tedd <t...@sperling.com>:
> Hi gang:
> I'm gathering information from a user, storing that data in a db, and then
> showing it back to the user. It's a simple process and can bee seen here in
> this address book demo (not real people):
> I gather information from the user via a $_POST; like this:
> $last_name = trim($_POST['last_name']);
> Then I pass it through mysql_real_escape_string() like so --
> $last_name = mysql_real_escape_string($last_name);
> -- and then I put that data into my table via an UPDATE.
> Then when I pull data from the table, I do this --
> $last_name = htmlentities($row['last_name']);
> -- and show that data to the user. That's what I'm supposed to do right?
Yes, but add ENT_QUOTES as second parameter to htmlentities, so that
php will convert single 'quotings', too.
You might want to use htmlspecialchars($str, ENT_QUOTES) to preserve
special characters liek äöü and alike.
If you're using UTF-8, you want to add 'UTF-8' as the third parameter
for the given html*() function.
> So, why is it that when I enter the name "O'Brian", the entry comes back
this happens, because you have php configured to automatically apply
addslashes() to every predefined user-input scope like _GET, _POST,
... just turn it of or call stripslashes *before* issuing
like that :
"UPDATE `foo` SET `bar` = ".
Beware of typing stripcslashes('see the C?"), as it will not strip
anything without further options. ;)
> So what's wrong and how do I fix it?
> PS: I know that I'm supposed to know this, but that part of my brain is on
> vacation -- I can't afford for all of me to go on vacation at one time.
> http://sperling.com http://ancientstones.com http://earthstones.com
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php