Non-escaped data breaks input tag value attribute

Join our forum today, it's free!

Register now and get access to all php class downloads!
Members are able to post new topics and comments.
Create a member profile and share your social profile links.
The abbility to follow your favorite forum topics.

PHP Script Forums » General Web Development Forum

Non-escaped data breaks input tag value attribute

(4 posts)

Tags:

Started 1 year ago by grahamsimmons
Latest reply from Olaf

Great offers for webmaster, blogger and web developer!

grahamsimmons
Member

How can I place the data Fred "O'Brien" Bloggs into the VALUE attribute of an INPUT tag without breaking the HTML code?

Example ...

//Get name from users table where id is 1.
$res = @mysql_query("SELECT name FROM users WHERE ID='1'");
$name = mysql_result($res, 0, "name"); //Now contains Fred "O'Brien" Bloggs

//Now place $name into INPUT tag
<input type="text" name="name" value="<?php echo $name?>">

Whether I use double or single quote on the value attribute I'm going to get an issue due to the data being placed in it. To stop the error I could use mysql_real_escape_string, but I don't want to show escaped data to the user as that's not what they entered.

Please help a man nearly in tears!

Posted 1 year ago #

Olaf
PHP Coder

i use this function most of the time:

function prev_sql_inject($val, $matrix = '\'%s\'') {

	if (get_magic_quotes_gpc()) $val = stripslashes($val);

	return sprintf($matrix, mysql_real_escape_string($val));

}

Posted 1 year ago #

grahamsimmons
Member

Brilliant, thanks very much Olaf :o)

Posted 1 year ago #
Olaf
PHP Coder

I saw that problem in several scripts on different web hosts.

both are using a not standard php setting: magic quotes (is off by default)

maybe you need to add "stripslashes" to the output too

Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.