webref.eu Posted August 15, 2008 Share Posted August 15, 2008 Hi All I have observed the following: HTML contents of form field: testing"testing (displayed in browser field as testing"testing) Goes into the database as: testing"testing My question is, can you confirm what is translating the html entity " into the character " when the database insert is done? I collect the field with: $ReviewDesc=$_POST['txtReviewDesc']; I assume it is mysql_real_escape_string which I am applying. Can anyone confirm that is how mysql_real_escape_string works? Many thanks Link to comment https://forums.phpfreaks.com/topic/119849-question-on-quot-from-form-field-into-database/ Share on other sites More sharing options...
Fadion Posted August 15, 2008 Share Posted August 15, 2008 No mysql_real_escape_string() wont convert entities back to characters, thats the job of html_entity_decode(). Thats weird as normally the entities should be inserted as string, not decoded by mysql. Are u sure ure looking into the database field and not just printing its value in html, which will normally decode the character? Link to comment https://forums.phpfreaks.com/topic/119849-question-on-quot-from-form-field-into-database/#findComment-617723 Share on other sites More sharing options...
webref.eu Posted August 16, 2008 Author Share Posted August 16, 2008 No mysql_real_escape_string() wont convert entities back to characters, thats the job of html_entity_decode(). Thats weird as normally the entities should be inserted as string, not decoded by mysql. Are u sure ure looking into the database field and not just printing its value in html, which will normally decode the character? OK, I have done a bit more testing. If I have a form field where the field contents is given in HTML as: testing"testing This is displayed in the browser in the field as: testing"testing If I then retrieve the contents of the field using: $ReviewDesc=$_POST['txtReviewDesc']; and redisplay this on the page it is shown as (note magic quotes on and producing the slash): testing\"testing Checking the actual HTML it is also shown as: testing\"testing So in summary, the underlying field contents in HTML has changed from: testing"testing to: testing\"testing i.e. we have transformed the contents from HTML entity " into character " through the contents being displayed in a form and retrieved with $_POST. Therefore my conclusion is that $_POST will retrieve actual characters from a field, even if in the actual HTML they are given as HTML entities. Would everyone agree with this? Thanks all. Link to comment https://forums.phpfreaks.com/topic/119849-question-on-quot-from-form-field-into-database/#findComment-617965 Share on other sites More sharing options...
wildteen88 Posted August 16, 2008 Share Posted August 16, 2008 Therefore my conclusion is that $_POST will retrieve actual characters from a field, even if in the actual HTML they are given as HTML entities. Would everyone agree with this? Thanks all. Yes this appears to be happening. I have done some testing on this and my results are the same as yours. I cant find any information on why this happens Link to comment https://forums.phpfreaks.com/topic/119849-question-on-quot-from-form-field-into-database/#findComment-617973 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.