htmlspecialchars() function

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Cleibe
Forum Newbie
Posts: 5
Joined: Mon Jun 02, 2003 8:35 am

htmlspecialchars() function

Post by Cleibe »

Ok. I've created a post card system where people can send a card and add a message to the card.
Having problems with "" (quotation).
When people enter "" it truncates the rest of the message. Doesn't enter the full message on db.
I've been trying to use the htmlspecialchars function but no success so far.
Here's my code

$profImpact = htmlspecialchars($profImpact);

I use this when adding to and retrieving from the db.

Any help is great appreciated.
[]InTeR[]
Forum Regular
Posts: 416
Joined: Thu Apr 24, 2003 6:51 am
Location: The Netherlands

Post by []InTeR[] »

Maybe you need to make some error handleing on your database work.

And i think your looking for the function addslashes before entering it into the database. And be carefull if you give this information to a other page with url's and forms.
Cleibe
Forum Newbie
Posts: 5
Joined: Mon Jun 02, 2003 8:35 am

Post by Cleibe »

I've added the addslashes function before entering into the db. Still doesn't work.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Could we see a bit more of your code?

Mac
Cleibe
Forum Newbie
Posts: 5
Joined: Mon Jun 02, 2003 8:35 am

Post by Cleibe »

This is what adds to db - profImpact is the problematic one.
////////////////////////////////////////////

$profField = trim($profField);
$profImpact = addslashes(htmlspecialchars($profImpact));
$profImpact = trim($profImpact);


$postDate = date("Y-m-d");

$query = "INSERT into sendersTB VALUES(
'0',
'$senderName',
'$senderClassYear',
'$senderEmail',
'$senderPhone',
'$senderSchool',
'$profFirstName',
'$profLastName',
'$profEmail',
'$profField',
'$profImpact',
'$messageOnCard',
'$cardId',
'$cardPath',
'$choiceId',
'$postDate',
'$processed'
)";

///////////////////////////////////////////////////////////
This is the page that reads from db for editing


$profImpact = stripslashes(htmlspecialchars($row[profImpact]));
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Could it be another field? Didn't see you processing the others:

Code: Select all

<?php
// process vars for db insertion
function dbSafe(&$array) {

    foreach ($array as $key=>$value) {
        $array[$key] = mysql_escape_string($value);
    }

}
// browser safe array
function formSafe(&$array) {

    foreach ($array as $key=>$value) {
        $array[$key] = htmlspecialchars(trim($value));
    }

}

// arg's passed by reference so use like this (two stages since you sometimes want to send post'd values back to a form, ie unescaped):

formSafe($_POST);
dbSafe($_POST);

// careful you don't overwrite anything or have any unset vars in same scope (form-forgers can take advantage)!!
extract($_POST);

?>
If you have already used htmlspecialchars on the way in, you don't need to do it again on the way out.

$postDate = date("Y-m-d"); is missing an argument, ie:

$postDate = date("Y-m-d", $timestamp);

...eg:

$postDate = date("Y-m-d", time());
Post Reply