galvin Posted November 12, 2010 Share Posted November 12, 2010 I imagine there are lots of ways to answer this question, so I just want people's opinions as to the best way (if there is one). I have code with a basic form that submits data to a MySQL database. So when someone submits data the first time, I "clean it up" by doing... $_POST['data'] = trim(mysql_prep($_POST['data'])); .. and then submit that info into a "varchar" mySQL field. Then if the user comes back to edit it, the form comes up and the data they previously entered is pulled into the field this way (I'm leaving out the MySQL to pull the data, obviously)... <input type="text" name="field" value="<?php echo $data;?>"> The problem is that if someone entered this originally... Here is "some" data with apostrophes ...Then when I echo that back into the value of the text field, it would only show... Here is " ...and then cuts off because the quotation mark in the data conflicted with the quotation mark after value= Is htmlentities the answer here, or is there some other/better way? FYI... function mysql_prep($value) { $magic_quotes_active = get_magic_quotes_gpc(); $new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0 if($new_enough_php) { //PHP v4.3.0 or higher //undo any magic quote effects so mysql_real_escape_string can do the work if($magic_quotes_active) { $value = stripslashes($value) ;} $value = mysql_real_escape_string($value); } else { //before php v4.3.0 // if magic quotes aren;t already on then add slashes manually if(!magic_quotes_active) { $value = addslashes($value); } // if magic quotes are active, then the slashes already exist } return $value; } Quote Link to comment Share on other sites More sharing options...
spfoonnewb Posted November 12, 2010 Share Posted November 12, 2010 You can use htmlentities() in this particular case. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 12, 2010 Share Posted November 12, 2010 Yes, htmlentities() would take care of this. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted November 12, 2010 Share Posted November 12, 2010 Don't ever use addslashes. Use stripslashes on input if magic_quotes are enabled, otherwise use the mysql_real_escape_string function (or its equivalent in whatever database you use) for inserting into your database. Use htmlentities for echoing HTML, mysql_real_escape_string for inserting into mysql. Also, the " symbol is "quotes" or usually "double-quotes." A single ' is an apostrophe when it's inside a word, or "single quotes" when they surround a string. -Dan Quote Link to comment Share on other sites More sharing options...
galvin Posted November 13, 2010 Author Share Posted November 13, 2010 Thanks everyone. I also have some situations where someone submits info, but they didn't complete required fields, so I store the info they did enter into a Session variable and then echo that into the "value" so they don't have to reenter what they already typed. I'm using HTMLentities to echo this data back and I'm finding that if someone enters a double quote like... here is "something" It gets echoed back (using HTMLentities) as... here is \"something And then if they submit again, but don't fill in all fields again, it comes back as... here is \\\"something And it has potential to get a lot of those "escape" slashes if they keep missing required fields. Should I not be using htmlentities in this case, since the data isn't coming from MySQL, but is instead just coming from a Session variable? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 13, 2010 Share Posted November 13, 2010 That looks as thought you have magic_quotes_gpc on in the php.ini file. Disable it if you can do so, and handle character escapement yourself. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.