Ok. I've created a post card system where people can send a card and add a message to the card.
Having problems with "" (quotation).
When people enter "" it truncates the rest of the message. Doesn't enter the full message on db.
I've been trying to use the htmlspecialchars function but no success so far.
Here's my code
$profImpact = htmlspecialchars($profImpact);
I use this when adding to and retrieving from the db.
Any help is great appreciated.
htmlspecialchars() function
Moderator: General Moderators
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
This is what adds to db - profImpact is the problematic one.
////////////////////////////////////////////
$profField = trim($profField);
$profImpact = addslashes(htmlspecialchars($profImpact));
$profImpact = trim($profImpact);
$postDate = date("Y-m-d");
$query = "INSERT into sendersTB VALUES(
'0',
'$senderName',
'$senderClassYear',
'$senderEmail',
'$senderPhone',
'$senderSchool',
'$profFirstName',
'$profLastName',
'$profEmail',
'$profField',
'$profImpact',
'$messageOnCard',
'$cardId',
'$cardPath',
'$choiceId',
'$postDate',
'$processed'
)";
///////////////////////////////////////////////////////////
This is the page that reads from db for editing
$profImpact = stripslashes(htmlspecialchars($row[profImpact]));
////////////////////////////////////////////
$profField = trim($profField);
$profImpact = addslashes(htmlspecialchars($profImpact));
$profImpact = trim($profImpact);
$postDate = date("Y-m-d");
$query = "INSERT into sendersTB VALUES(
'0',
'$senderName',
'$senderClassYear',
'$senderEmail',
'$senderPhone',
'$senderSchool',
'$profFirstName',
'$profLastName',
'$profEmail',
'$profField',
'$profImpact',
'$messageOnCard',
'$cardId',
'$cardPath',
'$choiceId',
'$postDate',
'$processed'
)";
///////////////////////////////////////////////////////////
This is the page that reads from db for editing
$profImpact = stripslashes(htmlspecialchars($row[profImpact]));
Could it be another field? Didn't see you processing the others:
If you have already used htmlspecialchars on the way in, you don't need to do it again on the way out.
$postDate = date("Y-m-d"); is missing an argument, ie:
$postDate = date("Y-m-d", $timestamp);
...eg:
$postDate = date("Y-m-d", time());
Code: Select all
<?php
// process vars for db insertion
function dbSafe(&$array) {
foreach ($array as $key=>$value) {
$array[$key] = mysql_escape_string($value);
}
}
// browser safe array
function formSafe(&$array) {
foreach ($array as $key=>$value) {
$array[$key] = htmlspecialchars(trim($value));
}
}
// arg's passed by reference so use like this (two stages since you sometimes want to send post'd values back to a form, ie unescaped):
formSafe($_POST);
dbSafe($_POST);
// careful you don't overwrite anything or have any unset vars in same scope (form-forgers can take advantage)!!
extract($_POST);
?>$postDate = date("Y-m-d"); is missing an argument, ie:
$postDate = date("Y-m-d", $timestamp);
...eg:
$postDate = date("Y-m-d", time());