Passing HTML in hidden input field

[11t1]

Hi,

 

I just wanted to take a poll to see what the best way to pass a chunk of text containing HTML in a hidden input form element would be.

 

I'm trying to pass the text from one page to another to another in a content management scenario, but the whole thing breaks down when HTML enters the picture.

 

On the page where the value is pulled from the database into a textbox, I'm using:

<?

  <textarea cols=\"45\" rows=\"10\" name=\"blurb\">".$blurb."</textarea>

?>

 

On the next page, the user can review the code displayed as plain text using:

<?

  echo(nl2br($blurb));

?>

 

There are no problems so far. But at the bottom of that page in the form that will pass the variables on to the script that will write the final changes to the database, everything falls apart when HTML comes into play.

 

<input type="Hidden" name="blurb" id="blurb" value="<? echo $blurb; ?>">

 

This line made everything fall apart when I put an anchor tag into the text. The closing > made it think the tag itself had closed, and the link text started printing to the screen.

 

So, what's the best way to handle situations like this. Would I use htmlentities() to get it to the database writing script and the use html_entity_decode() when actually passing the values into the db? Or is there a more sublime solution?

 

thx - stv

 

[papaface]

Use sessions.

[Dragen]

I've never had that problem..

try simply using the ful <?php instead of just <?. Sounds silly, but it could be the problem

[11t1]

Hey, the var is getting passed now w/ or w/o html, no probs...

 

however, when it comes time to writing to the d-base, html is breaking things again.

 

i'm using the following SQL code:

 

$query = "UPDATE pages SET title = \"$title\", heading = \"$heading\", blurb = \"$blurb\" WHERE id = \"$id\"";

 

$result = mysql_query($query) or die("Couldn't execute query.");

 

whenever i try to pass in html i see the dreaded Couldn't execute query statement. what up w/ that?

 

or should i be asking sql questions elsewhere? i'm still new here, please don't ostracize me.

[trq]

Never insert data straight into a database. Data needs to be cleaned firstly. Take a look at mysql_real_escape_string.

[11t1]

thx - i'll look into it. i did a quick face w/ putting this into the var retrieval routine in the meantime:

 

$blurb = addslashes($_POST['blurb']);

 

prolly not the cleanest sol'n, but i'm in a bit of a time crunch w/ the client.

[trq]

This is for a client and you don't know to clean data? Man, there is some gullible people out there.

[kenrbnsn]

When displaying HTML in a form and you don't want it to be interpreted, you need to use the function htmlentities() with the second parameter of "ENT_QUOTES".

<input type="Hidden" name="blurb" id="blurb" value="<? echo htmlentities($blurb,ENT_QUOTES); ?>">

 

Ken

 

[11t1]

thx ken, i'll do that...

 

thorpe - you know how it is - client asks if you can do something, in the back of your mind you know it's gonna be tricky, but there's a 2 yr old tugging at your pant leg who needs to be fed & all that - so you bluff & start researching & throwing together whatever it takes to take care of your family. i never said i was a rocket scientist (nor even a computer scientist). i'm just a guy doing whatever it takes to get get the job done.