Stephen68 Posted September 11, 2009 Share Posted September 11, 2009 I came across a function that cleans up form information for query's, it uses htmlspecialchars(). Now when I go to display the entree from the database the " and what not are messed up. So to fix this I used htmlspecialchars_decode(), and so far it works but I was wondering if this is the proper way to do this kind of thing. Here is the function I use to clean up form information. function clean($text) { $text=strip_tags(trim(htmlspecialchars(mysql_real_escape_string($text)))); return htmlspecialchars($text); } Thanks for your advice and help guys Stephen Link to comment https://forums.phpfreaks.com/topic/173926-htmlspecialchars-help/ Share on other sites More sharing options...
thebadbad Posted September 11, 2009 Share Posted September 11, 2009 Only run mysql_real_escape_string() (and strip_tags(), if you want to remove potential tags) on a string before inserting it to the database. Then when you display the data on your pages, run it through htmlentities() or htmlspecialchars() to prevent the data from being interpreted as (X)HTML. And didn't you notice your function applies htmlspecialchars() twice? Link to comment https://forums.phpfreaks.com/topic/173926-htmlspecialchars-help/#findComment-916850 Share on other sites More sharing options...
Stephen68 Posted September 11, 2009 Author Share Posted September 11, 2009 ya I see that now, I'm not sure where I came across that but maybe I'll have to modify it a little. Thanks for your help! Stephen Link to comment https://forums.phpfreaks.com/topic/173926-htmlspecialchars-help/#findComment-916856 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.