From: "matthew perry" <mwperry@xxxxxxxxxxx> > Actually I think the problem is before you can use either addslashes or > mysql_escape_string() functions. The value with " or ' never reaches > the database. I think I need a way to ignore quotes for input values in > HTML. > > Say I have this: > <input type="text" size = "2" name="Q"> > And my user enters: 2 " copper tubing > The value for "Q" will be: 2 No, the value of $Q will still be 2 " copper tubing, but if you tried to show that value inside of a text box again, you'd lose everything after the second quote, because you end up with this: <input type="text" size="2" name="Q" value="2 " copper tubing"> HTML interprets the value as "2 " and the rest of the value as an unrecognized attribute. The solution is to run htmlentities() on the value to convert double quotes into " so you end up with <input type="text" size="2" name="Q" value="2 " copper tubing"> Which will appear correctly to the user. Note that if you deal with text that's going to be shown on HTML pages, running the text through htmlentities($value,ENT_QUOTES) will prevent the text from being used for cross site scripting and SQL injection. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
