Escaping ' tags from search outputs
Posted: Fri Dec 16, 2005 9:24 am
Hello,
When I run this page it automatically returns all the records from my database, and the "Johnny's Selected Seeds" record becomes "selected". The option tag is broken because of the ' in the name of the company and then the "selected" becomes part of the HTML tag. This is what it looks like when I view source:
"<option value=Johnny's Selected Seeds>Johnny's Selected Seeds</option>"
What do I need to use to escape around the data output so that the html tags dont see the ' ??
Here is my code thus far:
When I run this page it automatically returns all the records from my database, and the "Johnny's Selected Seeds" record becomes "selected". The option tag is broken because of the ' in the name of the company and then the "selected" becomes part of the HTML tag. This is what it looks like when I view source:
"<option value=Johnny's Selected Seeds>Johnny's Selected Seeds</option>"
What do I need to use to escape around the data output so that the html tags dont see the ' ??
Here is my code thus far:
Code: Select all
<form name="search" action="sqltest.php" method="post">
<input type="text" name="search">
<input type="submit" name="submit" value="go">
</form>
<?
$server="REMOVED BY HAWLEYJR;
$username="REMOVED BY HAWLEYJR";
$password="REMOVED BY HAWLEYJR";
$sqlconnect=mssql_connect($server, $username, $password);
$sqldb=mssql_select_db("COApgar",$sqlconnect);
$sqlquery="SELECT CustomerName FROM ARCustomers WHERE CustomerName LIKE '$_POST[search]%' ORDER BY CustomerName;";
$results= mssql_query($sqlquery);
echo "<select name='subcat'><option> </option>";
while($row = mssql_fetch_array($results)) {
echo "<option value=$row[CustomerName]>$row[CustomerName]</option>";
}
echo "</select>";
echo "<input type=submit value=Submit>";
echo "</form>";
mssql_close($sqlconnect);
?>