Jump to content

Question on " from form field into database

webref.eu

By webref.eu
in PHP Coding Help

 Share

Recommended Posts

webref.eu Regular Member

webref.eu

Posted
Posted

Hi All

 

I have observed the following: 

 

HTML contents of form field:  testing"testing (displayed in browser field as testing"testing)

 

Goes into the database as: testing"testing

 

My question is, can you confirm what is translating the html entity " into the character " when the database insert is done?

 

I collect the field with: 

$ReviewDesc=$_POST['txtReviewDesc'];

 

I assume it is mysql_real_escape_string which I am applying.  Can anyone confirm that is how mysql_real_escape_string works? 

 

Many thanks

 

Fadion Newbie

Fadion

Posted
Posted

No mysql_real_escape_string() wont convert entities back to characters, thats the job of html_entity_decode(). Thats weird as normally the entities should be inserted as string, not decoded by mysql. Are u sure ure looking into the database field and not just printing its value in html, which will normally decode the character?

webref.eu Regular Member

webref.eu

Posted
  • Author
Posted

No mysql_real_escape_string() wont convert entities back to characters, thats the job of html_entity_decode(). Thats weird as normally the entities should be inserted as string, not decoded by mysql. Are u sure ure looking into the database field and not just printing its value in html, which will normally decode the character?

 

OK, I have done a bit more testing.  If I have a form field where the field contents is given in HTML as: 

 

testing"testing

 

This is displayed in the browser in the field as: 

 

testing"testing

 

If I then retrieve the contents of the field using:

 

$ReviewDesc=$_POST['txtReviewDesc'];

 

and redisplay this on the page it is shown as (note magic quotes on and producing the slash):

 

testing\"testing

 

Checking the actual HTML it is also shown as: 

 

testing\"testing

 

So in summary, the underlying field contents in HTML has changed from: 

 

testing"testing

 

to:

 

testing\"testing

 

i.e. we have transformed the contents from HTML entity " into character " through the contents being displayed in a form and retrieved with $_POST. 

 

Therefore my conclusion is that $_POST will retrieve actual characters from a field, even if in the actual HTML they are given as HTML entities.  Would everyone agree with this? 

 

Thanks all.

 

 

 

 

 

 

 

 

 

 

 

 

wildteen88 Regular Member

wildteen88

Posted
Posted

Therefore my conclusion is that $_POST will retrieve actual characters from a field, even if in the actual HTML they are given as HTML entities.  Would everyone agree with this? 

 

Thanks all.

 

Yes this appears to be happening. I have done some testing on this and my results are the same as yours. I cant find any information on why this happens

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.