Having trouble with quote/doubleQuotes' in input

[smerny]

I am using this for my input (which comes off an <input style='text'>)

foreach ($_POST as $key => $value) {
  $_POST[$key] = mysql_real_escape_string(htmlspecialchars($value));
  }

 

and I am having terrible problems with quotations marks... i've tried many things but it will either replace it with a code or add slashes or whatever... or if I input: [something's something] in the input, it will show up correctly when I pull it from the database and echo it... but if I echo it within the input value, it will come up as [something'] and removing the rest...

 

I want it so that I can use it for both straight echo and also echoing in the input value and it will keep showing up as [something's something]...

 

Like this topic title for example, I put a single quote in it... and it shows up correctly (with just the single quote and no other characters) both normally and within the input value while editing

 

how do I do this?

 

 

[mrMarcus]

you are trying to set an associative index on the $_POST array with a value from an input field, correct?

 

why?  what are you trying to do with this code?

 

this might work better for ya:

$mapped = array_map ('mysql_real_escape_string', $_POST);
$_POST = array_map ('htmlspecialchars', $mapped);

[smerny]

don't see how that would change anything with what's happening with the quotation marks and i tried it and it made no difference.

$_POST['example'] = "Something's something";
$mapped = array_map ('mysql_real_escape_string', $_POST);
$_POST = array_map ('htmlspecialchars', $mapped);

echo <input type='text' value='".$_POST['example']."' /> // shows [something's something] (like i want)

//but
echo $_POST['example']; //returns Something\'s something (not what I want)

 

[smerny]

do i need to stripslashes() everytime before displaying it outside of an input value?

[PFMaBiSmAd]

You need to use htmlentities() with the second parameter set to ENT_QUOTES, so that both single and double quotes in the data are converted to html entities so that they don't break the HTML on your page.

[smerny]

in place of htmlspecialchars?

[oni-kun]

in place of htmlspecialchars?

 

Yes, they are the same for the purpose you are using it for.

[mrMarcus]

don't see how that would change anything with what's happening with the quotation marks and i tried it and it made no difference.

 

was never intended to fix the problem.

 

easy solution.  don't run an escaping function on a variable you don't want escaped.

 

<?php
$_POST['example'] = "Something's something";
echo $_POST['example']; //outputs Something's something
?>

 

now, if you want to insert $_POST['example'] into a query, then run mysql_real_escape_string, and only then.  otherwise you're creating chaos.

 

seems you skipped right by my question:  what are you trying to do with this code ... that is necessary for you to be running mysql_real_escape_string() the $_POST array?

[smerny]

what are you trying to do with this code ... that is necessary for you to be running mysql_real_escape_string() the $_POST array?

storing it in a database

[mrMarcus]

ok, so don't run mysql_real_escape_string() against anything to be displayed back in form.  only on the value going into the query.

 

instead, do as has been said.  htmlentities() on the form value, mysql_real_escape_string() on the query value.  no need for stripslashes, etc.

[smerny]

the data going to the form is being pulled from the database after being submitted previously