jordanwb Posted June 26, 2008 Share Posted June 26, 2008 I'm making a photo management system for a local high school. When I add an album I call addslashes to prevent SQL injections. On the edit page I retrieve the album's name and enclose it in the tag like so: echo '<td><input maxlength="256" name="album_name" type="text" value="'.$album_name.'" /></td>'."\n"; Now in the source HTML it says: <input maxlength="256" name="album_name" type="text" value=""Testing quotes"" /> Now I have tried calling addslashes like so: echo '<td><input maxlength="256" name="album_name" type="text" value="'.addslashes($album_name).'" /></td>'."\n"; so that the HTML is like so: <input maxlength="256" name="album_name" type="text" value="\"Testing quotes\"" /> but in the input box all that shows up is a "/" (minus the quotes). Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted June 26, 2008 Share Posted June 26, 2008 You want htmlentities(). I guess i should elaborate -- you need to convert special characters to their relevant html entity. If the value of something contained a double quote, the browser would assume that the value ends at the first double quote found. Converting that double to it's enties (can't remember what it is off the top of my head) prevents this. Quote Link to comment Share on other sites More sharing options...
jordanwb Posted June 26, 2008 Author Share Posted June 26, 2008 htmlentities() was what I was looking for. Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.