Clearly I’m either an idiot or haven’t had enough coffee yet. I’m going to hope it’s the latter. Didn’t even occur to me that the browser would display it differently.
Well it’s working, so I’m not going to freak out about this but it’s interesting. I really do have a form element posting because that’s I can see the value of the variable and can also (thanks fo AlienDev) insert it into the database.
You’re a genius. From the 20 seconds I spent reading about mysql_real_escape_string() it looks like it doesn’t actually escape the same characters as htmlspecialchars() does - is that right? It seems messy to use both functions.
Right. htmlspecialchars() will escape <> characters to <> (and quotes to "e; if you tell it to). mysql_real_escape_string() escapes ’ to ‘’. Double-single-quotes (does that make sense?) is how SQL escapes characters.
Thank you to each of you for lighting fast responses and refraining from calling me out on my obvious errors. You would think that after 7 years I would have figured some of these basic things out by now.
Point taken. Time to go secure the SQL queries and then moving on to bacon doughnuts. Anthony, I know you’re jealous but they won’t do well via airmail.