Hi List, I don't do a lot of websites so pardon me if this is a stupid question.
I am using htmlentities($text, ENT_COMPAT, 'UTF-8'); to escape text from the db to be displayed in form fields. This works fine but when the text is saved in the database the entities are saved with it. For example, if the text in the db is 'Mike & Ike', the form field looks like: <input type='text' name='foo' value='Mike & Ike'/> This is displayed correctly but when I submit this to the server it is saved to the database as 'Mike & Ike'. The next time it is output in HTML I get: <input type='text' name='foo' value='Mike &amp; Ike'/> which is, of course, NOT displayed correctly. How can I protect my pages from script injection and display content in form fields correctly? Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
