SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,340
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Proper use of htmlentities

    I'm going through Kevin's Build Your Own DD Website book. He recommends using htmlspecialchars to convert special characters into their HTML equivalent. However, I still got an error message for a paragraph that contained two single-quotes and two double-quotes.

    I tried using htmlentities instead and I still got the error message (at bottom). Is there something else I should be doing?

    PHP Code:
      $descr htmlentities($racer['descr']);
      echo 
    "<td>$descr</td>\n"
    Thanks!
    Steve

    p.s.
    Error message says:
    Error adding new entry: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '80's. I was also able to use some "old school" decals from a kit' at line 4

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    For sql queries use mysql_real_escape_string
    Saul

  3. #3
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's right, storing HTML entity escaped strings in a database is a bad idea. The only safe escape method is mysql_real_escape_string().

  4. #4
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,340
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    How would I use the function?

    I'm too new to understand exactly where to use that function. I tried it in three different places and several different forms. The link you gave was not clear enough for me. Here's a portion of the code that shows a query being performed. How would I use the function? Is this the wrong part of the code?

    PHP Code:
    <?php
    $racers 
    = @mysql_query($select $from $where);

    if (!
    $racers) {
      echo 
    '</table>';
      exit(
    '<p>Error retrieving from database!<br />'.
          
    'Error: ' mysql_error() . '</p>');
    }

    while (
    $racer mysql_fetch_array($racers)) {
      echo 
    "<tr valign='top'>\n";
      
    $id $racer['id'];
      
    $vehicle_name htmlspecialchars($racer['vehicle_name']);
      echo 
    "<td>$vehicle_name</td>\n";

      
    $owner_name htmlspecialchars($racer['owner_name']);
      echo 
    "<td>$owner_name</td>\n";

      
    $descr htmlspecialchars($racer['descr']);
      echo 
    "<td>$descr</td>\n";

      
    $year htmlspecialchars($racer['year']);
      echo 
    "<td>$year</td>\n";

      
    $conversion $racer['conversion'];
      echo 
    "<td>$conversion</td>\n";

      echo 
    "<td><a href='spotlight_edit1.php?id=$id'>Edit</a> | " .
          
    "<a href='spotlight_delete1.php?id=$id'>Delete</a></td>\n";
      echo 
    "</tr>\n";
    }
    ?>

    </table>

    <p><a href="spotlight1.php">New search</a></p>
    <p><a href="index1.htm">Main page</a></p>
    </body>
    </html>

  5. #5
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hm, the query is executed on the first line, the rest is irrelevant. So what's above?
    Saul

  6. #6
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To boil it down a bit. Instead of doing

    PHP Code:
    $sql "SELECT * FROM atable WHERE name='".$_POST['name']."'"
    You should do

    PHP Code:
    $name mysql_real_escape_string($_POST['name']);
    $sql "SELECT * FROM atable WHERE name='".$name."'"
    Format output with htmlspecialchars, if it comes from user input and it is text. If it's a number from an integer field, or a date created with SQL now() or PHP date() for instance, there's no point to escaping it.

  7. #7
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,340
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hammer65 -- that did it!! Error message is gone! Entire text has been entered in the database. Now, onward.

    Thanks!
    Steve


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •