SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    USA
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Quotes (") are breaking my <form>

    OK,

    I'm sure there's a simple solution to this one, but I can't seem to get my brain around it right now. I'm working with a script I got from the net that allows users to submit form data that will eventually end up in my database.

    The script uses 3 separate php pages that allow user to enter data, review data, and then submit to database. The data is passed between pages using forms and POST method.

    The problem:

    As the data is passed from one form/page to another, any quotes ("") that the user enters will cause problems.

    Example:

    Code:
    <form method="POST" action="save.php">
    <input type=hidden name="review" value="<? echo $review; ?>">
    </form>
    If the user submits a "review" that has a double quote in it, the form breaks b/c the quote truncates the submission....similar to the problem of submitting a quote into a database without a slash.

    How do I get around this? Is there something similar to addslashes() that will work for data passed through forms? Or is there another way to circumvent this?

    Thanks.
    -Garrett

  2. #2
    With More ! for your $ maxor's Avatar
    Join Date
    Feb 2004
    Location
    Scottsdale, Arizona
    Posts
    909
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try using html_entities.

  3. #3
    SitePoint Addict
    Join Date
    Jan 2002
    Location
    NJ/NY
    Posts
    346
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would use the addslashes function:
    http://us2.php.net/addslashes

    This will "backslash out" those problematic quotes.

  4. #4
    SitePoint Enthusiast
    Join Date
    Oct 2003
    Location
    USA
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dtang4
    I would use the addslashes function:
    http://us2.php.net/addslashes

    This will "backslash out" those problematic quotes.
    FYI, this did not work for me because I was having problems displaying my data in forms (BEFORE the data hit the db). The extra slashes are simply ignored by the form.



    Quote Originally Posted by maxor
    Try using html_entities.
    This one DID work! Nice!!


    Thank you both for the help.
    -G

  5. #5
    Forum Buyer
    Join Date
    Jun 2004
    Location
    United States
    Posts
    811
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you use addslashes, don't forget to use stripslashes when displaying the data on the other end or your data will look like

    .........Yadda yadda data isn\'t gonna show correctly because it isn\'t removing the slashes....


    Also just because I'm a nut for secure code...

    If you're gonna submit stuff to a DB do be displayed back to the user and others it's a REALLY REALLY good idea to use strip_tags(); as well. That will remove any javascript or freaky HTML (meta redirects) that lame hacker wannabes will put into your pages. This is nasty stuff and it can 1) install spyware and virii or 2) Redirect your users to any page the hacker wants to.... scary
    Founder/Admin of a pretty decent chat forum
    Download free winterboard themes for your iPhone
    I run sites powered by vbulletin and one about the HTC Jetstream.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •