Use of double quotes in a 'input type="text"' value wont work, string stops at double-quote !
Question
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results. NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ @ / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ @ / \\ [ ]< >
4 answers
solution1
20 ACCPTED 2009-11-20 17:00:38
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity " . Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
solution2
3 2009-11-20 17:03:16
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
solution3
2 2009-11-20 17:23:30
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
solution4
1 2009-11-20 17:00:42
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.