Replacing Quotes in Submitted Forms

[leachus2002]

Hi All,

 

I have a text field in a form that when submitted, passes the submitted data, using $_POST into a second webpage. I then use an insert statement on that page to insert the submitted text in to a DB.

 

I have finding that if user's place either a quote (") or a apostrophie (') in the form, it truncate's the insert statement, as it takes the characters as the end of the line.

 

Is there any other way of managing quotes and apostrophies in forms?

 

Cheers

Matt

 

[runnerjp]

Hye... you need to be using mysql_escape_string() on ALL data going into and out the DB.

 

This will help prevent your sql db becoming hacked and will also allow you to add ' & " into the form

[Pikachu2000]

Why would you escape data coming out of the database?

[PFMaBiSmAd]

The actual problem is most likely when you are outputting the data on a web page. The ' or " is breaking the html on your page. You generally need to use htmlentities with the second parameter set to ENT_QUOTES when you output data on a page.

 

[leachus2002]

Hey Guys,

 

My Bad - sorry but I forgot to mention that I am using an MSSQL DB - and I notice that there isnt an escape string for MSSQL. Does anyone know how I can get around this problem?

 

Cheers

Matt