[SOLVED] Problem with puncuation in input form

[s1yman]

Hi,

 

I have a form that contains text areas to input to my DB, my question is how do I stop quotation marks, inverted commas, and other punctuation from confusing the script when the form is submitted?

 

Thanks in advance.

[s1yman]

I just read something about htmlentities() on google, but anyone have an idea how I would fit this into my form?

[BlueSkyIS]

i typically single-quote html element parameters, then use htmlentities() thus:

 

$input = $_GET['atextfield'];

echo "<input type='text' NAME='atextfield' VALUE='".htmlentities($input, ENT_QUOTES)."' SIZE='20'>";

[s1yman]

Thanks for the info mate.

 

The punctuation confuses the process script when user clicks submit, so I have tried;

<?php
$one = htmlentities($_POST['one'],ENT_QUOTES);
$sql="INSERT INTO Test2 (one)
VALUES
('$one')"; ?>

 

Which strips the code and makes the punctuation stop interfering with the script but still show properly on the display page. The only problem is that I want people to be able to put links and possibly other scripts. Do you know any way to do this?

[Fadion]

<?php
$one = mysql_real_escape_string($_POST['one']); //this will escape all characters that can break your query
$one = strip_tags($one, '<a>'); //will remove all html tags except anchors
?>

 

It's not a good idea letting users insert code and then display it to other users. You may end up with exploiters using XSS all the way. It depends on what you want to achieve though, but stripping code is usually a good practice.

[s1yman]

Well my idea is that it is there own page, so if they want to f*ck it up they can. It's not a publicly open form if you get me.

 

thanks for the code Gear!