Page 1 of 1

hidden input fields

Posted: Wed Nov 16, 2005 9:19 am
by s.dot
I want to allow HTML to be passed in a varible that I have inside a hidden input field. however i'm having problems with quotes

lets say I enter this

Code: Select all

<font color="red">text</font>
then I want to pass this through a form and stick it in a hidden input field

it shows up like this

Code: Select all

<input type="hidden" name="message" value="<font color=\"red\">text!</font>">
I thought that would be OK since the " are escaped with a \

but on the webpage it shows up like this

Code: Select all

text!">
like the " is ending the field

Posted: Wed Nov 16, 2005 9:27 am
by s.dot
is the only way to do it is to use htmlentities() to pass it and to insert it into the DB, then when I need it displayed on the webpage to use html_entity_decode() ?

Posted: Wed Nov 16, 2005 9:30 am
by Grim...

Code: Select all

<input type="hidden" name="message" value="<font color=||||red||||>text!</font>">

Code: Select all

$message = str_replace("||||", "\"", $message);

Posted: Wed Nov 16, 2005 9:33 am
by JAM
Or by using base64_encode before and base64_decode after doing the magic with it. Or similiar...

Posted: Wed Nov 16, 2005 9:36 am
by s.dot
Well i seemed to work it out using htmlentities()

However, it's showing up as HTML in the database (which is OK, im just wondering why its doing it)

the value I'm POSTing looks like this

Code: Select all

<input type="hidden" name="message" value="<font color="red">text!</font>">
OK, cool, that's what I expected it to do.
Here's how I'm processing this POST value

Code: Select all

$message = mysql_real_escape_string(me_strip_css(me_strip_js(stripslashes($_POST['message']))));
the functions me_strip_css and me_strip_js is only preg_replace-ing values.

When I submit this form, it shows up in the database as HTML and not the entities that I passed. How come?