On Fri, June 30, 2006 1:39 pm, Don wrote:
> 905.362.6000"l""s"'L'
> <td><input type="text" name="phone" value="<?PHP echo
> query_database($db_account->Phone); ?>" size="25"></td>
So you end up with this:
value="905.362.6000"1""s"'L'"
^
And, in HTML, this | marks the end of the string.
You know how you do mysql_real_escape_string to put data in a database?
In the same way, you need http://php.net/htmlentities to put data into
HTML.
In fact, if you think about it, almost every time you put data from
point A to point B, you need to "escape" it for that specific usage.
data -> MySQL : mysql_real_escape_string
data -> HTML : htmlentities
data -> URL : urlencode
You can frequently "get away" with not doing the escape only because
the data doesn't happen, by mere chance, to have any 'bad' characters
in it.
That doesn't make your code correct. It just happens to sort of work.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
