Echoing out a string with double quotes in html form

[petenaylor]

Hi all

 

I have a field in mySQL table called dimensions. It has the double quote in in for inches - "

 

When I echo the result from the mySQL query on the item page (Customer facing) it's fine. However, I have built a form so that the administrator can edit the dimensions in the admin panel and when I echo it out in to the form field it stops when it gets to the double quotes?

 

Pete

 

 

[Anti-Moronic]

You need to escape those quotes when you enter them into the database using mysql_real_escape_string and stripslashes on the way out.

[trq]

using mysql_real_escape_string and stripslashes on the way out.

 

stripslashes is not needed on the way out if your data is properly escaped on the way in. The escape chars are only there to get the data into a valid query.

[Anti-Moronic]

using mysql_real_escape_string and stripslashes on the way out.

 

stripslashes is not needed on the way out if your data is properly escaped on the way in. The escape chars are only there to get the data into a valid query.

 

Sorry! Thanks for correction as well. Sorry OP, didn't mean to give out bad advice. Still, mysql_real_escape_string() is always a good idea on data insertion. Get used to using it and problems like this won't even appear.

[PFMaBiSmAd]

All content (anything that is not intentionally HTML tags/HTML syntax) that you output on a web page needs to be passed through htmlentities with the second parameter set to ENT_QUOTES so that any HTML entities in it, like &, ", ', <, and > don't break the HTML on your page.

 

Also, the value='...' attribute of a form field (all attributes in fact) need quotes around it to make it valid HTML.

 

[trq]

Also, the value='...' attribute of a form field (all attributes in fact) need quotes around it to make it valid HTML.

 

Hopefully not for that much longer. html5 is coming!

[jimmyt1988]

No, depends if he's using transitional or strict.

 

strict requires quotes, transitional does not.

[petenaylor]

Thanks for your replies guys.

 

Is this the correct way to send the string?

 

$dimensions = (mysql_real_escape_string($_POST['dimensions']));

 

Pete

[PFMaBiSmAd]

The information posted by Anti-Moronic in this thread has nothing to do with your problem of putting " into a form field value.

[petenaylor]

I'm a bit lost now!

 

Basically I have a DB entry that has double quotes in. When I am adding it into the DB I am using:

 

$dimensions = (mysql_real_escape_string($_POST['dimensions']));

 

When I am echoing it back into the form for the user to edit I am using:

 

<input name="dimensions" type="text" id="dimensions" size="80" maxlength="80" value="<?php echo stripslashes(mysql_real_escape_string($result['dimensions'])); ?>" class="basket-table-font" />

 

When I am echoing it to the user screen I am using:

 

<?php echo stripslashes($result['dimensions']); ?>

 

However this isn't working as it should. It misses off the contact after the double quotes.

 

Thanks for your help, it's much appreciated!

 

Pete