Page 1 of 1
htmlspecialchars() function
Posted: Mon Jun 02, 2003 8:35 am
by Cleibe
Ok. I've created a post card system where people can send a card and add a message to the card.
Having problems with "" (quotation).
When people enter "" it truncates the rest of the message. Doesn't enter the full message on db.
I've been trying to use the htmlspecialchars function but no success so far.
Here's my code
$profImpact = htmlspecialchars($profImpact);
I use this when adding to and retrieving from the db.
Any help is great appreciated.
Posted: Mon Jun 02, 2003 8:39 am
by []InTeR[]
Maybe you need to make some error handleing on your database work.
And i think your looking for the function addslashes before entering it into the database. And be carefull if you give this information to a other page with url's and forms.
Posted: Mon Jun 02, 2003 8:42 am
by Cleibe
I've added the addslashes function before entering into the db. Still doesn't work.
Posted: Mon Jun 02, 2003 8:44 am
by twigletmac
Could we see a bit more of your code?
Mac
Posted: Mon Jun 02, 2003 8:50 am
by Cleibe
This is what adds to db - profImpact is the problematic one.
////////////////////////////////////////////
$profField = trim($profField);
$profImpact = addslashes(htmlspecialchars($profImpact));
$profImpact = trim($profImpact);
$postDate = date("Y-m-d");
$query = "INSERT into sendersTB VALUES(
'0',
'$senderName',
'$senderClassYear',
'$senderEmail',
'$senderPhone',
'$senderSchool',
'$profFirstName',
'$profLastName',
'$profEmail',
'$profField',
'$profImpact',
'$messageOnCard',
'$cardId',
'$cardPath',
'$choiceId',
'$postDate',
'$processed'
)";
///////////////////////////////////////////////////////////
This is the page that reads from db for editing
$profImpact = stripslashes(htmlspecialchars($row[profImpact]));
Posted: Mon Jun 02, 2003 12:27 pm
by McGruff
Could it be another field? Didn't see you processing the others:
Code: Select all
<?php
// process vars for db insertion
function dbSafe(&$array) {
foreach ($array as $key=>$value) {
$array[$key] = mysql_escape_string($value);
}
}
// browser safe array
function formSafe(&$array) {
foreach ($array as $key=>$value) {
$array[$key] = htmlspecialchars(trim($value));
}
}
// arg's passed by reference so use like this (two stages since you sometimes want to send post'd values back to a form, ie unescaped):
formSafe($_POST);
dbSafe($_POST);
// careful you don't overwrite anything or have any unset vars in same scope (form-forgers can take advantage)!!
extract($_POST);
?>
If you have already used htmlspecialchars on the way in, you don't need to do it again on the way out.
$postDate = date("Y-m-d"); is missing an argument, ie:
$postDate = date("Y-m-d", $timestamp);
...eg:
$postDate = date("Y-m-d", time());