Hi!
I just realised a problem in a system I am doing.
I pass data on in a hidden and a text input, of course with
value="whatever"
The problem happens with
value="whatever is there are " one more?"
How have people solved this?
On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
> Hi!
>
> I just realised a problem in a system I am doing.
> I pass data on in a hidden and a text input, of course with
> value=3D"whatever"
> The problem happens with
> value=3D"whatever is there are " one more?"
>
> How have people solved this?
htmlspecialchars($string, ENT_QUOTES);
-- =
Rik Wasmus
On Wed, 23 Jan 2008 12:50:01 +0100, Rik Wasmus =
> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
>
>> Hi!
>>
>> I just realised a problem in a system I am doing.
>> I pass data on in a hidden and a text input, of course with
>> value=3D"whatever"
>> The problem happens with
>> value=3D"whatever is there are " one more?"
>>
>> How have people solved this?
>
> htmlspecialchars($string, ENT_QUOTES);
BTW, if you're just learning this now: be sure you're not vulnerable to =
=
XSS attacks!
-- =
Rik Wasmus
"jodleren"
news:831a0847-15e7-40bf-b7bb-0fa6e8ba3f2b@d21g2000prf.google groups.com...
> Hi!
>
> I just realised a problem in a system I am doing.
> I pass data on in a hidden and a text input, of course with
> value="whatever"
> The problem happens with
> value="whatever is there are " one more?"
>
> How have people solved this?
http://nl2.php.net/manual/en/function.htmlentities.php
Rik Wasmus wrote:
> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
>
>> Hi!
>>
>> I just realised a problem in a system I am doing.
>> I pass data on in a hidden and a text input, of course with
>> value="whatever"
>> The problem happens with
>> value="whatever is there are " one more?"
>>
>> How have people solved this?
>
> htmlspecialchars($string, ENT_QUOTES);
Yes. Any strings embedded in forms and form variables that need to use
and display quotes and the like, need expressing in 'proper' HTML.
I am not quite sure how it happens, but these seem in my case to get
magically removed when stuffing into the MySQL database.
I've probably got some magic set up by default ;-)
On Wed, 23 Jan 2008 13:02:45 +0100, The Natural Philosopher
e:
> Rik Wasmus wrote:
>> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
>>
>>> Hi!
>>>
>>> I just realised a problem in a system I am doing.
>>> I pass data on in a hidden and a text input, of course with
>>> value=3D"whatever"
>>> The problem happens with
>>> value=3D"whatever is there are " one more?"
>>>
>>> How have people solved this?
>> htmlspecialchars($string, ENT_QUOTES);
>
> Yes. Any strings embedded in forms and form variables that need to use=
=
> and display quotes and the like, need expressing in 'proper' HTML.
>
> I am not quite sure how it happens, but these seem in my case to get =
> magically removed when stuffing into the MySQL database.
>
>
> I've probably got some magic set up by default ;-)
Nope, just look at the raw POST or GET request. The magic is in the =
browser/UA (which is the agent who can actually do something with/use ht=
ml =
entitities).
-- =
Rik Wasmus
On 23 Jan, 12:02, The Natural Philosopher
> Rik Wasmus wrote:
> > On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
>
> >> Hi!
>
> >> I just realised a problem in a system I am doing.
> >> I pass data on in a hidden and a text input, of course with
> >> value="whatever"
> >> The problem happens with
> >> value="whatever is there are " one more?"
>
> >> How have people solved this?
>
> > htmlspecialchars($string, ENT_QUOTES);
>
> Yes. Any strings embedded in forms and form variables that need to use
> and display quotes and the like, need expressing in 'proper' HTML.
>
> I am not quite sure how it happens, but these seem in my case to get
> magically removed when stuffing into the MySQL database.
>
> I've probably got some magic set up by default ;-)
Note to OP: PHP historically tried to fix this with a
'magic_quotes_gpc' setting - which didn't work - so more settings got
added, until everybody agreed the PHP should do its job and the
programmer should do hers. The settings are still there in 5.2 but
should all be switched OFF. If you're really interested have a google
for the long sad story.
Note 2: in HTML and Javascript, you can put double quotes inside
single quotes (where they will be ignored) and vice-versa, but (AFAIK)
you can't *escape* quotes - hence using htmlentities.
HTH
C.
C. (http://symcbean.blogspot.com/) wrote:
> On 23 Jan, 12:02, The Natural Philosopher
>> Rik Wasmus wrote:
>>> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren
>>>> Hi!
>>>> I just realised a problem in a system I am doing.
>>>> I pass data on in a hidden and a text input, of course with
>>>> value="whatever"
>>>> The problem happens with
>>>> value="whatever is there are " one more?"
>>>> How have people solved this?
>>> htmlspecialchars($string, ENT_QUOTES);
>> Yes. Any strings embedded in forms and form variables that need to use
>> and display quotes and the like, need expressing in 'proper' HTML.
>>
>> I am not quite sure how it happens, but these seem in my case to get
>> magically removed when stuffing into the MySQL database.
>>
>> I've probably got some magic set up by default ;-)
>
> Note to OP: PHP historically tried to fix this with a
> 'magic_quotes_gpc' setting - which didn't work - so more settings got
> added, until everybody agreed the PHP should do its job and the
> programmer should do hers. The settings are still there in 5.2 but
> should all be switched OFF. If you're really interested have a google
> for the long sad story.
>
I ought to check..
> Note 2: in HTML and Javascript, you can put double quotes inside
> single quotes (where they will be ignored) and vice-versa, but (AFAIK)
> you can't *escape* quotes - hence using htmlentities.
>
Found out the hard way here..;-)
The other gotcha was trying to print % signs in a printf
statement..finally remembered its '%%' in that syntax....
God I am so rusty...
> HTH
>
> C.