On Tue, 25 Jan 2005 17:02:21 -0800, Chris <listschris@xxxxxxxxxxxxxxx> wrote:
> You should probably use get_magic_quotes_runtime() , as _gpc only
> applies to GET/POST/COOKIE,
>
> htmlspecialchars is needed so the HTML can be parsed properly:
So this is this only done to stuff that is to be displayed on a web
page? What happens if it is done to stuff that is (possibly) also
passed through addslashes and written to the database. Also douse it
matter what order htmlspecialcharacters/addslashes???
However this is the least of my problems, I still dont have the main
magic quotes thing working. So I will detail what I am doing and c if
anyone can help.
Everything that comes from the database (regardless of what is done to
it next) is passed through the following function.
function unprep( $text ) {
// Take data coming from the database an get it ready to be presented
// to the user.
if ( get_magic_quotes_gpc() ){
$result = stripslashes($text);
} else{
$result = $text;
}
$result = htmlspecialchars( $result );
return $result;
}
This is done regardless of what is to be done to the data by using
foreach on the row that is returned.
foreach( $this->record as $index => $value ) {
$this->record[$index] = unprep( $value );
}
And before anything is written to the database it goes through the
following function.
function prep( &$text ) {
if ( get_magic_quotes_gpc() ) {
return $text;
} else {
return addslashes($text);
}
}
But I am still getting the \', \\' thing happening. One of my
problems is I am not sure at how to reliably look at the data at
various stages. If I do echo $value and it has \' in it is '\
displayed or or is ' displayed. I.e. is it only in the <input
type=text tag that the \' shows up.
Thanks for every body's help, hope I am nearly there;)
Ben
> if the value in the text box was something like:
>
> "> Hello World!
>
> when you go to put in the value attribute it would end up:
>
> <input type="text" value=""> Hello World!" />
>
> That would not parse correctly.
>
> but if you escaped it with htmlspecialchars or htmlentities you'd get:
>
> <input type="text" value=""> Hello World!" />
>
> And the box would contain the proper data
>
>
> Ben Edwards wrote:
>
> >PS. How does htmlspecialchars fit into this. The unprep function is
> >to prepare date coming from the database to be used in <input
> >type=text, douse the below function make sence?
> >
> >Ben
> >
> >function unprep( $text ) {
> > // Take data coming from the database an get it ready to be presented
> > // to the user.
> >
> > if (magic_quotes_gpc()){
> > $result = stripslashes($text);
> > }
> > else{
> > $result = $text;
> > }
> >
> > return htmlspecialchars( $result );
> >}
> >--
> >Ben Edwards - Poole, UK, England
> >WARNING:This email contained partisan views - dont ever accuse me of
> >using the veneer of objectivity
> >If you have a problem emailing me use
> >http://www.gurtlush.org.uk/profiles.php?uid=4
> >(email address this email is sent from may be defunct)
> >
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Ben Edwards - Poole, UK, England
WARNING:This email contained partisan views - dont ever accuse me of
using the veneer of objectivity
If you have a problem emailing me use
http://www.gurtlush.org.uk/profiles.php?uid=4
(email address this email is sent from may be defunct)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
