Double quote injection problem with mySQL and PHP

Hi,

I have no problem injecting texts that come with quotes into my database (I think), for instance,

I’d like to say “Hello”

the problem is, when I can to edit this text (title) again, in the input field, it only shows this,

I’d like to say

the double quotes are missing. I think it is bcos of this - value=“” which has double quotes,

<input name="pg_title" type="text" value="<?php echo $row_page['pg_title'];?>"/>

how can I fix this problem??

many thanks,
Lau

To make strings HTML-friendly, use htmlentities:

<input name="pg_title" type="text" value="<?php echo htmlentities($row_page['pg_title']); ?>"/>

see htmlspecialchars() and use ENT_QUOTES options.

thanks got it! :smiley:

cool thanks for the help :smiley:

hi sorry having problem with htmlspecialchars() now…

I convert all single and double quote when injecting them into database,

htmlspecialchars($pg_title, ENT_QUOTES)

it shows this in the database,

it(single quote - converted)s "marry" (note that the single quote cannot be displayed here)

then I decode it again and wrap with htmlentities() when i want to edit it again,

<input name="pg_title" type="text" value="<?php echo htmlentities(htmlspecialchars_decode($row_page['pg_title']));?>" /> 

it shows this in the input field -

it(single quote - converted)s “marry” (note that the single quote cannot be displayed here)

the single code is not decoded or something else??

thanks
L

got it sorted. just need to ehco the converted text straight from the database, without using htmlentities()

thanks :slight_smile: