Maybe you're looking for something like:
mysql_query("insert into mytable (`tablekey`,`rowvalue`)
values
(NULL,'".mysql_real_escape_string(html_entity_decode($datafrompage))."'");
You shouldn't have to do the html_entity_decode though. I think you're
double converting it somewhere.
~Rolan
Michael B Allen wrote:
Hi List,
I don't do a lot of websites so pardon me if this is a stupid question.
I am using htmlentities($text, ENT_COMPAT, 'UTF-8'); to escape text from
the db to be displayed in form fields. This works fine but when the text
is saved in the database the entities are saved with it.
For example, if the text in the db is 'Mike & Ike', the form field looks like:
<input type='text' name='foo' value='Mike & Ike'/>
This is displayed correctly but when I submit this to the server it is
saved to the database as 'Mike & Ike'. The next time it is output
in HTML I get:
<input type='text' name='foo' value='Mike &amp; Ike'/>
which is, of course, NOT displayed correctly.
How can I protect my pages from script injection and display content in
form fields correctly?
Mike
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
