On Fri, May 26, 2006 9:13 am, Angelo Zanetti wrote: > I have a situation where people enter values into a textfield can > include the following: > > 1 ! 2 @ 3 # 4 $ 5 % 6 ^ 7 & 8 * 9 ( 10 ) 11 ; 12 : 13 " 14 ' 15 ? 16 - > 17 _ 18 > > now once the move to another page and then come back to the page where > the textfield is I echo out the value they previously entered, from a > session variable. When the values are saved in a session > variable I addslashes and when I echo I stripslashes, however because > of the " double quote it screws up my page. because the textfield's > value is escaped prematurely. addslashes is (or, rather, WAS) the way to escape data before it went into the database. Not "before it went to HTML and then into a database". Do *NOT* do the addslashes (or mysql_real_escape_string, or whatever) until the last possible moment, right before the $query is set up. Meanwhile, back at the ranch, data going out to a BROWSER as part of HTML should have http://php.net/htmlentities called on it. This will convert your " into " which is what it should be to be considered "data" by the browser. Again, this should be done at the last possible moment before going out to the browser, and without modifying your original variable holding the data, so that you don't muddy the waters by trying to cram " into your database. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
