Page 1 of 1

htmlentities or htmlspecialchars in textarea or textbox?

Posted: Wed Aug 30, 2006 11:37 pm
by robster
Hi all, I have users on a desktop app that want to be able to input things like

Code: Select all

<man>  <woman>  man  woman
They use this to differentiate between client types (for example).

I have it entering the data just fine, it goes into the database (MYSQL) and it retrieves and draws it onscreen.

To draw it into a standard table, during the draw loop I use:

Code: Select all

$history = htmlspecialchars($history, ENT_NOQUOTES);
The thing is, and here's where I'm stuck. When I go to edit this info, I have a form setup where I click EDIT next to an item and the contents are reloaded into the forms textboxes and textareas so I can edit them. When I hit edit and try to draw the info into the textarea, it won't appear!

How bizzarre. Can anyone explain this?

It draws normal text like

Code: Select all

woman man
but not anything with any html looking wrappers like

Code: Select all

<woman> <man>
Any help really appreciated.

Rob

Posted: Wed Aug 30, 2006 11:41 pm
by feyd
Can you post the code specific to the textarea?

Posted: Wed Aug 30, 2006 11:49 pm
by robster
Note, as I typed this I found the problem, read end of post if you wish to see,thank you

Sure, I enter the data into the database as so:

Code: Select all

$action = $_GET['action'];
	$history = $_GET['history'];
	$Submit = $_GET['Submit'];
	$id = $_GET['id'];
	
	
	// Add / Edit history
	if ($Submit == "Add")
	{
		$today = date('Y-m-d');
		$action="";
		$query = "INSERT INTO colour_history VALUES ('', '$user_id[user_id]', '$clientid', '$today','$history')";
		$Update = mysql_db_query ($dbname, $query) or die(mysql_error().': '.htmlentities($query));
		
	}

It goes in just fine, with the <> brackets or whatever else I put in.

I then draw it to the screen in a table like so:

Code: Select all

while ($id=$row["id"])
	{
	$result = mysql_db_query($dbname, "SELECT * FROM colour_history WHERE client_id = $clientid ORDER BY date ASC");
	$row = mysql_fetch_array($result);

		$id = $row["id"];
		$operator_id = $row["operator_id"];
		$date = $row["date"];
		$history = $row["history"];
		
		$date = convert_date($date);
		$operator_array = get_stylist_name($operator_id);
		
		//$history = htmlentities($history, ENT_NOQUOTES);
		$history = htmlspecialchars($history, ENT_NOQUOTES);
		
				
		echo "<tr  bgcolor=\"#d5d5d5\" onMouseOver=\"this.bgColor='#BBBBBB';\" onMouseOut=\"this.bgColor='#d5d5d5';\">";
			echo "<td class=\"admin-table\">$date</td>";
			echo "<td class=\"admin-table\">$operator_array[name]</td>";
			echo "<td class=\"admin-table\">$history</td>";
			print "	<td class=\"admin-table\" width=\"10%\">"; 
     		print "		<div align=\"center\">";
 		    print "		<a href=\"clients_colour_history.php?id=$id&action=edit\"><img border=\"0\" src=\"images/edit.png\" alt=\"Modify\"></a>&nbsp;";
		    print "		<a href=\"clients_colour_history.php?id=$id&action=delete\"><img border=\"0\" src=\"images/delete.png\" alt=\"Delete\"></a></div>";
		    print "	</td>";
		  echo "</tr>";
	  
		$row = mysql_fetch_array($result);

	}

That works a treat, it's all there, on screen in the table. With the <> etc.

I then, after clicking the edit.png next to the data, go to draw it into the form to edit like so:

Code: Select all

{
		// Show selected history
		$Show = mysql_db_query($dbname, "SELECT * FROM colour_history WHERE id='$id'");
		$ShowRow = mysql_fetch_array($Show);
		$ShowDate = strip_tags($ShowRow["date"]);						
		$ShowHistory = strip_tags($ShowRow["history"]);
		$ShowClient_id = strip_tags($ShowRow["client_id"]);

		//$ShowHistory = html_entity_decode($ShowHistory, ENT_NOQUOTES);
		
		mysql_free_result($Show);
	}

// ... then later down the file

   	  <tr>
		<td valign="top" align="center">
	
	    <?
			print "Colour History<br>";
        	print "<textarea name=\"history\" cols=\"30\" rows=\"6\" wrap=\"VIRTUAL\">";
			if ($action=="edit") 
			{
				$ShowHistory = htmlspecialchars($ShowHistory, ENT_NOQUOTES);
				print($ShowHistory); 
			}
			print "</textarea>";
		?>		
		</td>
	  </tr>
and with that I just answered my question!!!!! ARRGGGHHHH I had striptags() when I pulled the data from the database. Thanks so much and sorry to waste your time.

Such a goose!!!

:)

Rob

Posted: Wed Aug 30, 2006 11:59 pm
by feyd
I like these kind of questions.. they're just so darn rare. :? :)