RE: [PHP] escaping quotes for redisplay

2003-02-19 Thread Ford, Mike [LSS] 
 -Original Message-
 From: Erik Price [mailto:[EMAIL PROTECTED]]
 Sent: 18 February 2003 18:11
 
 PS: I am using htmlentities() on the output before displaying 
 it in the 
 browser, but it doesn't apply to singlequotes.

Ahem!  I quote from http://www.php.net/manual/en/function.htmlentities.php:

 ... the optional second quote_style parameter lets you define
 what will be done with 'single' and double quotes. It takes
 on one of three constants with the default being ENT_COMPAT: 

 Constant Name  Description 
 ENT_COMPAT Will convert double-quotes and leave single-
quotes alone. 
 ENT_QUOTES Will convert both double and single quotes. 
 ENT_NOQUOTES   Will leave both double and single quotes
unconverted.

So just use htmlentities($output, ENT_QUOTES).

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning  Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] escaping quotes for redisplay

2003-02-18 Thread Erik Price 
Hi,

I am running into a problem, that I'm certain I've had before but for 
some reason don't remember how to handle.  If anyone can advise me on 
what to do here, that would be great.

I have a PHP script that accepts some user input and validates it, and 
if the validation fails, it re-displays the form.  In the form, the 
text fields' value attributes are set to the user's input so that the 
user doesn't have to fill everything out again.  The whole system works 
great, and I'm sure you've all seen it a hundred times before.

The problem happens when a user enters a single quote, such as in the 
string O'Reilly.  Re-displaying this value in the value attribute 
of the form, like this:

  input type='text' name='publisher' value='O'Reilly' /

is clearly invalid HTML, and it shows when the page is rendered in the 
user's browser (only the O gets through).

If I turn on magic_quotes_gpc or use addslashes, the output is like so:

  input type='text' name='publisher' value='O\'Reilly' /

And of course, when rendered, simply allows the O\ to get through.

I can solve this problem by using double-quotes instead of 
single-quotes for my attributes, and that is probably what I'm going to 
have to do.  However, this means I can't let users enter double quotes, 
or the same thing will happen.  In other fields, double-quotes might be 
necessary.  Is there any other solution?

Thanks,

Erik

PS: I am using htmlentities() on the output before displaying it in the 
browser, but it doesn't apply to singlequotes.  I suppose I could 
str_replace it, but I'm wondering how other people handle this 
situation






--
Erik Price

email: [EMAIL PROTECTED]
jabber: [EMAIL PROTECTED]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] escaping quotes for redisplay

2003-02-18 Thread David Otton 
On Tue, 18 Feb 2003 13:10:33 -0500, you wrote:

   input type='text' name='publisher' value='O'Reilly' /

input type=text name=blah value=aaquot;aa


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php