Proper coding to guard against users using special charactor
Posted: Tue Dec 20, 2005 11:04 am
Hello,
I have a search that the users can type the first part of a customer name and it will return the matching records, then when a user selects the customer name from the list it searchs for the customer info (address zip...). The problem that I am having is if the customer name has an ' in it, (Bill's Auto Transport) has the 's which kills my code.
I need to know how to fix it so that the 's and any other special charactors won't cause an error.
Here is my code for the search
Also if there are is a tutorial somewhere about the general practice for input box's and how th protect against the 's or " ". That would be helpful for me because I need to setup all of my input fields that way.
I have a search that the users can type the first part of a customer name and it will return the matching records, then when a user selects the customer name from the list it searchs for the customer info (address zip...). The problem that I am having is if the customer name has an ' in it, (Bill's Auto Transport) has the 's which kills my code.
I need to know how to fix it so that the 's and any other special charactors won't cause an error.
Here is my code for the search
Code: Select all
<?PHP
echo "
<input type=text name=search value='$_POST[search]' size=8>
<input name='create_workorder' type='submit' id='create_workorder' value='Search'>
";
?>
---------------------------------------
<?Php
echo "
<input type=hidden name=create_workorder value=1>
<select name=\"location_name\" OnChange=\"document.workorderform.submit()\"><option> </option>";
while($row = mssql_fetch_array($results)) {
echo "<option value=\"".$row[CustomerName]."\" ".(isset($_POST['location_name']) && $_POST['location_name'] == $row['CustomerName'] ? "selected=\"selected\"" : "").">".$row['CustomerName']."</option>";
}
echo "</select></td></tr>";
while ($row2 = mssql_fetch_assoc($results2))
{
echo "<tr><td>Street:</td><td><input type=text size=50 name=location_street value='$row2[Address]'></td></tr>
<tr><td> </td><td><input type=text size=40 name=location_city value='$row2[City]'> <input type=text size=5 name=location_zip value='$row2[Zip]'></td></tr>";
}
?>Also if there are is a tutorial somewhere about the general practice for input box's and how th protect against the 's or " ". That would be helpful for me because I need to setup all of my input fields that way.