daxguy Posted July 3, 2013 Share Posted July 3, 2013 I am having trouble posting a script using my html form.. If i remove functions like mysql_real_escape_string() or htmlentities() the query execution gives error like characters ' or " are causing problems, I want to post a script with <script>code</script> in the field and want it working on the html page as it is coded on an html page.. Can anyone help? This is the input field Description</b></td><td><textarea name="news_des" cols="50" rows="7"> extracting the information if(!empty($_POST['news_des'])) { $news_des = mysql_real_escape_string(trim(htmlentities($_POST['news_des']))); // to get tags along }else { $error[] = 'You forgot to enter the News Description!'; } Link to comment https://forums.phpfreaks.com/topic/279822-adding-scripts-to-html-forms/ Share on other sites More sharing options...
thara Posted July 3, 2013 Share Posted July 3, 2013 I think, here you need to use htmlspecialchars() instead of htmlentities() if(!empty($_POST['news_des'])) { $des = $_POST['news_des']; $des = mysql_real_escape_string($des); $des = htmlspecialchars($des); } else { $error[] = 'You forgot to enter the News Description!'; } Link to comment https://forums.phpfreaks.com/topic/279822-adding-scripts-to-html-forms/#findComment-1439215 Share on other sites More sharing options...
AbraCadaver Posted July 3, 2013 Share Posted July 3, 2013 Why translate the characters? If you want to use it as HTML store the HTML, if not then htmlentities() when you display it ot when you insert it: $news_des = mysql_real_escape_string(trim($_POST['news_des'])); Also, you may have magic_quotes enabled, if so: if(get_magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } $news_des = mysql_real_escape_string(trim($_POST['news_des'])); Link to comment https://forums.phpfreaks.com/topic/279822-adding-scripts-to-html-forms/#findComment-1439316 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.