daxguy Posted July 3, 2013 Share Posted July 3, 2013 I am having trouble posting a script using my html form.. If i remove functions like mysql_real_escape_string() or htmlentities() the query execution gives error like characters ' or " are causing problems, I want to post a script with <script>code</script> in the field and want it working on the html page as it is coded on an html page.. Can anyone help? This is the input field Description</b></td><td><textarea name="news_des" cols="50" rows="7"> extracting the information if(!empty($_POST['news_des'])) { $news_des = mysql_real_escape_string(trim(htmlentities($_POST['news_des']))); // to get tags along }else { $error[] = 'You forgot to enter the News Description!'; } Quote Link to comment Share on other sites More sharing options...
thara Posted July 3, 2013 Share Posted July 3, 2013 (edited) I think, here you need to use htmlspecialchars() instead of htmlentities() if(!empty($_POST['news_des'])) { $des = $_POST['news_des']; $des = mysql_real_escape_string($des); $des = htmlspecialchars($des); } else { $error[] = 'You forgot to enter the News Description!'; } Edited July 3, 2013 by thara Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted July 3, 2013 Share Posted July 3, 2013 Why translate the characters? If you want to use it as HTML store the HTML, if not then htmlentities() when you display it ot when you insert it: $news_des = mysql_real_escape_string(trim($_POST['news_des'])); Also, you may have magic_quotes enabled, if so: if(get_magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } $news_des = mysql_real_escape_string(trim($_POST['news_des'])); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.