Quotes in Variable escaping Form Value
Posted by keith (keith), 2 February 2006Hi,
I have the following :-
$main.="<input name='title' type='text' size='40' value='".$title."'>"
Now this is fine until the value of title is something like:-
$title="when they're going to be here";
All that is displayed in the Form text field is:
The value of $title actually comes from a mySQL db.
I wan't the user to see exactly what they originally type in the form, so they can modify it. How do I get this text field to display the full line :
when they're going to be here
I'm sure I should be doing an addslashes or something, but I just cant get the line to display correctly in the text field.
Thanks in advance
Posted by Chris_Isaac (Chris Isaac), 2 February 2006Hi Keith
I'm a bit rusty with PHP, but I think you are on the right lines because its cutting off the string at the ' in they're.
Try using the addslashes function (when you originally input the data into the mysql db) see if that gets you over the problem (Don't forget to use stripslashes function when getting the information out)
Like I said I'am rusty if that doesn't work, there are bigger and uglier peole on the board who will point you in the right direction.... there's Graham as well...
Hope this helps.
Posted by admin (Graham Ellis), 2 February 2006This is how I remember it:
Reading from a form - call stripslashes but ONLY if your server is configured with magic quotes set on (that's the default). This prevents quotes entered by the user having a backslash in front of them.
Saving to a database - call addslashes which ensures that the 4 special characters that can't be otherwise passed in within your SQL get escaped as appropriate.
Reading back from a database - no action to take since you've lready saved the data cleanly.
Outputting back to the browser (and this INCLUDES echoing back as the value in a text string) - htmlspecialchars which converts < to < and (answering Keith's original query) " to ".
Posted by keith (keith), 2 February 2006Thanks Graham and Chris,
Chris, I had tried addslashes, but it didn't help.
Graham, I know PHP addslashes by default (when magicquotes is on) to form data.
The data I am showing is from MySQL, not directly from a form, so the stripslashes and addslashes part seems to be irrelevant.
It's saving fine in mySQL eg; i can pull it back out and echo $title;
and I get:-
when they're going to be here
It's just the form value thing that's the issue.
So all I need to do is use htmlspecialchars
Or am I not understanding something here!?
Posted by admin (Graham Ellis), 2 February 2006on 02/02/06 at 23:14:40, keith wrote:
Nope, I think that's all you need then.
Posted by keith (keith), 3 February 2006Ah!
With a bit of swapping from Single Quotes to Double Quotes and vice-versa, it worked like a charm.
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: firstname.lastname@example.org • WEB: http://www.wellho.net • SKYPE: wellho