Replacing Quotes in Submitted Forms

leachus2002 · January 7, 2011

Hi All,

I have a text field in a form that when submitted, passes the submitted data, using $_POST into a second webpage. I then use an insert statement on that page to insert the submitted text in to a DB.

I have finding that if user's place either a quote (") or a apostrophie (') in the form, it truncate's the insert statement, as it takes the characters as the end of the line.

Is there any other way of managing quotes and apostrophies in forms?

Cheers

Matt

runnerjp · January 7, 2011

Hye... you need to be using mysql_escape_string() on ALL data going into and out the DB.

This will help prevent your sql db becoming hacked and will also allow you to add ' & " into the form

Pikachu2000 · January 7, 2011

Why would you escape data coming out of the database?

PFMaBiSmAd · January 7, 2011

The actual problem is most likely when you are outputting the data on a web page. The ' or " is breaking the html on your page. You generally need to use htmlentities with the second parameter set to ENT_QUOTES when you output data on a page.

leachus2002 · January 10, 2011

Hey Guys,

My Bad - sorry but I forgot to mention that I am using an MSSQL DB - and I notice that there isnt an escape string for MSSQL. Does anyone know how I can get around this problem?

Cheers

Matt

Sign In

Replacing Quotes in Submitted Forms

Recommended Posts

leachus2002

Link to comment

Share on other sites

runnerjp

Link to comment

Share on other sites

Pikachu2000

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

leachus2002

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information