Page 1 of 1

Proper coding to guard against users using special charactor

Posted: Tue Dec 20, 2005 11:04 am
by stylus
Hello,

I have a search that the users can type the first part of a customer name and it will return the matching records, then when a user selects the customer name from the list it searchs for the customer info (address zip...). The problem that I am having is if the customer name has an ' in it, (Bill's Auto Transport) has the 's which kills my code.

I need to know how to fix it so that the 's and any other special charactors won't cause an error.

Here is my code for the search

Code: Select all

<?PHP
echo "
<input type=text name=search value='$_POST[search]' size=8>
<input name='create_workorder' type='submit' id='create_workorder' value='Search'>
";
?>

---------------------------------------

<?Php
echo "
<input type=hidden name=create_workorder value=1>
<select name=\"location_name\" OnChange=\"document.workorderform.submit()\"><option> </option>"; 
while($row = mssql_fetch_array($results)) { 
echo "<option value=\"".$row[CustomerName]."\" ".(isset($_POST['location_name']) && $_POST['location_name'] == $row['CustomerName'] ? "selected=\"selected\"" : "").">".$row['CustomerName']."</option>"; 
} 
echo "</select></td></tr>";

while ($row2 = mssql_fetch_assoc($results2))
			{
   		echo "<tr><td>Street:</td><td><input type=text size=50 name=location_street value='$row2[Address]'></td></tr>
			  <tr><td>&nbsp;</td><td><input type=text size=40 name=location_city value='$row2[City]'> <input type=text size=5 name=location_zip value='$row2[Zip]'></td></tr>";
			}
?>

Also if there are is a tutorial somewhere about the general practice for input box's and how th protect against the 's or " ". That would be helpful for me because I need to setup all of my input fields that way.

Posted: Tue Dec 20, 2005 11:09 am
by Chris Corbyn