Page 1 of 1

Double quote injection problem with mySQL and PHP

Posted: Fri Feb 19, 2010 9:54 am
by lauthiamkok
Hi,

I have no problem injecting texts that come with quotes into my database (I think), for instance,

I'd like to say "Hello"

the problem is, when I can to edit this text (title) again, in the input field, it only shows this,

I'd like to say

the double quotes are missing. I think it is bcos of this - value="" which has double quotes,

Code: Select all

<input name="pg_title" type="text" value="<?php echo $row_page['pg_title'];?>"/>
how can I fix this problem??

many thanks,
Lau

Re: Double quote injection problem with mySQL and PHP

Posted: Fri Feb 19, 2010 10:06 am
by pickle
wrap what you echo in htmlentities()

Re: Double quote injection problem with mySQL and PHP

Posted: Fri Feb 19, 2010 10:20 am
by lauthiamkok
pickle wrote:wrap what you echo in htmlentities()
got it! thanks it works fine now :D