PDA

Click to See Complete Forum and Search --> : [RESOLVED] Escape char in HTML?

jesseainskeep
11-30-2006, 12:47 PM
I'm stumped what to do on this, so I thought I would ask for help...

I've for a form that will update and insert into a database, the problem comes in with the ' and ".

I use the addslashes() and stripslashes() and have no problem with the database, it's when I'm trying to put the data back into the form so they can update something...

My source code generated by php is below.... You'll know what I mean.

<tr>
<td width="75px">Name:</td>
<td width="425px"><input type="text" size="30" id="frmName" name="frmName" value='O\'Reiley' /></td>
</tr>
<tr>
<td>Address:</td>
<td><input type="text" size="30" id="frmAddress" name="frmAddress" value="O\Reiley" ></td>

</tr>
<tr>
<td>City:</td>
<td><input type="text" size="15" id="frmCity" name="frmCity" value="O"Reiley" /></td>
</tr>

If I use " or ' for the value, and am trying to insert this, I've got a big problem...

What do you do when you need to put a ' and " in a text box?
russell
11-30-2006, 01:19 PM
dont use addslashes, stripslashes(). use str_replace() and double up the quotes. single quote is the database escape character.

"O'Reilly" becomes "O''Reilly" (note that is 2 single quotes, not a double-quote).

It will be stored correctly in db and be returned correctly to your php/html
NogDog
11-30-2006, 03:27 PM
dont use addslashes, stripslashes(). use str_replace() and double up the quotes. single quote is the database escape character.

"O'Reilly" becomes "O''Reilly" (note that is 2 single quotes, not a double-quote).

It will be stored correctly in db and be returned correctly to your php/html
Isn't that dependent on what DBMS is being used?
NogDog
11-30-2006, 03:41 PM
I'd recommend using htmlspecialchars() to output the data, thus making it a non-issue whether or not single- or double-quotes are used around the value:

<?php
$value = "O'Reilly";
$value2 = 'This is "a test."';
?>
<form action="test.php" method="post">
<p>
<input type="text" size="30" id="frmAddress" name="frmAddress"
value='<?php echo htmlspecialchars($value, ENT_QUOTES); ?>'>
<br><input type="text" size="30" id="frmAddress2" name="frmAddress2"
value="<?php echo htmlspecialchars($value2, ENT_QUOTES); ?>">
<br><input type="submit" value="submit">
</p>
</form>
<pre><?php print_r($_POST); ?></pre>
jesseainskeep
11-30-2006, 03:43 PM
Wow, I don't know why I couldn't think of that....

The only problem is when it was displaying back in the text boxes...

Thanks much for the help...
russell
11-30-2006, 07:46 PM
Isn't that dependent on what DBMS is being used?
theroetically, yes, but the databases i'm most familiar with -- MSSQL, DB2, MS ACCESS, MySQL alll support it. I Think Oracle does too.