Page 1 of 1
Form Input => Question Inside...
Posted: Mon Feb 20, 2006 11:52 am
by seodevhead
Hey guys, do I need to do any escaping (like htmlentities() ) when I have a form field input re-displayed when say the user miscorrectly fills something out. In other words... this is what I have:
Code: Select all
<input type="text" name="username" size="15" maxlength="15" value="<?php
if (isset($_POST['username'])) echo $_POST['username']; ?>" />
Should I be using htmlentities() around the $_POST['username'] variable?? Is any escaping needed when displaying input within a field form element? Thanks for your advice!
Posted: Mon Feb 20, 2006 12:05 pm
by feyd
yes.
Posted: Mon Feb 20, 2006 12:06 pm
by seodevhead
I don't need to addslashes() do I? Just htmlentities right?
Posted: Mon Feb 20, 2006 12:09 pm
by feyd
addslashes() will do nothing but hurt in this case. htmlentities() is the only thing required most often.
Posted: Mon Feb 20, 2006 12:11 pm
by seodevhead
Thanks a ton feyd! Much oblige!
stripslashes
Posted: Tue Feb 21, 2006 10:20 pm
by cknudsen
Actually, if you have magic_quotes_gpc enabled in your php.ini, you may want to call stripslashes() in addition to htmlentities(). If not, then just htmlentities().
Posted: Wed Feb 22, 2006 12:31 am
by matthijs
to get rid of any slashes added if magic qoutes are enabled see the funtion I gave
here
You can include this in the top of every script. Then you never have to use stripslashes or addslashes anymore.
If you would like to read some more about the trouble with magic quotes (and therefore addslashes/stripslashes) see
http://www.sitepoint.com/blogs/2005/03/ ... headaches/
Understanding well how and why magic quotes and functions like addslashes, stripslashes, htmlentities etc work, prevents a lot of frustration.