[SOLVED] Escaped string value disapears?

[Boo-urns]

When processing a form with double quotes and the validation fails the value is just the '\' that is added in. However when I echo it out right after escaping it it displays properly.

 

My question is how would you put their inputted value back? (Everything besides double quotes returns correctly to the form when validation fails)

 

Posting variable and running function

<?php
// inside the form processing
$fName   = $db->check_n_escape($_POST['fName'], 'first name');

 

Function in the db class

<?php
// check n escape function in the db class
function check_n_escape($str, $checkName) {		
	if($str == NULL) {
		$this->fieldError  = 1;
		$this->fieldErrMsg .= ($this->fieldErrMsg != NULL) ? $checkName . ", " : $this->fieldErrMsgStart . $checkName . ", ";

	} else 
		{ return $this->escape_str($str); }

}

function escape_str($str) {							// escaping strings
	if(get_magic_quotes_gpc())
		{$str = stripslashes($str);} 

	if(function_exists("mysql_real_escape_string"))
		{$str = mysql_real_escape_string($str);} 
	else
		{$str = addslashes($str);} 

	return $str;		
}

?>

 

Or is there a better way? Thanks for your help!

-Corey

[kenrbnsn]

How are you displaying the value?

 

Ken

[Boo-urns]

I haven't put in a stripslashes function yet but I'm just outputting it to the field.

 

<input type="text" name="fName" id="fName" value="<?= $fName; ?>" />

[kenrbnsn]

You need to use the htmlentities function when displaying the data in the value attribute or the double quote in the data will end the value. If you had looked at the generated source of the form, you would have seen something like:

<input type="text" name="fName" id="fName" value="this string has a " in it />

if the value of $fName had been 'this string has a " in it'

 

You need to use:

<input type="text" name="fName" id="fName" value="<?php echo htmlentities(stripslashes($fName),ENT_QUOTES); ?>" />

 

Ken

[Boo-urns]

That worked perfectly! Thanks Ken!

 

-Corey