如何将带引号的字符串正确保存到数据库以进一步显示？

Question

I want save some form data on database. The form:

echo '<form action="post" method="'.$_SERVER['PHP_SELF'].'">
<input type="text" name="first_name" value="htmlspecialchars($_POST['first_name']).' />
<input type="text" name="last_name" value="htmlspecialchars($_POST['last_name']).' />
<input type="submit" name="submit" />
</form>';

If some input is empty it do refresh to same page and show error at top that say to fill the inputs.

The problem is when I fill only one input to value aaa"aaa and the another save empty, than I submit. Than I get error that say to fill the another input and the filled value change from aaa"aaa to aaa"aaa.

Because of that when I save the data on database some of the data is escaped and some data is not.

I thought to use htmlspecialchars_decode but if I will type aaa"aaa it will convert it to aaa"aaa when i want save it as it is (aaa"aaa).

What I can do?

Thank you!

Answer 1

好吧，我建议您使用Javascript验证来检查每个字段，然后如果一切正常，则将其保存在数据库中。

Answer 2

If you need to do verification of user data, certainly you need to do it on front-end (javascript) and in back-end (for security reasons).

Anyway, first of all I see mistakes in your php code. There is no some proper concatenation symbols and quotation marks. Correct piece of code should be:

echo '<form action="post" method="'.$_SERVER['PHP_SELF'].'">
<input type="text" name="first_name" value="'.htmlspecialchars($_POST['first_name']).'" />
<input type="text" name="last_name" value="'.htmlspecialchars($_POST['last_name']).'" />
<input type="submit" name="submit" />
</form>';

If you really want to display quotaion marks, which were been inserted by your users, as variant you can use html_entity_decode($your_variable_here);

$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlspecialchars($orig);
$b = html_entity_decode($a);
echo $a; // I'll &quot;walk&quot; the &lt;b&gt;dog&lt;/b&gt; now
echo $b; // I'll "walk" the <b>dog</b> now

More info here