simon551 Posted June 27, 2007 Share Posted June 27, 2007 Hi, I have a query that I am populating a drop-down menu with. I need to escape illegal characters, but I'd like to separate it out from the page. this is the marked-up page that the user views: <?php do { $row_rsProjectMenu['project'] = str_replace("&", "&", $row_rsProjectMenu['project']); $row_rsProjectMenu['project'] = str_replace("<", "-", $row_rsProjectMenu['project']); $row_rsProjectMenu['project'] = str_replace(">", "-", $row_rsProjectMenu['project']); ?> <option value="<?php echo $row_rsProjectMenu['projID']?>"> <?php echo $row_rsProjectMenu['project']?> </option> <?php } while ($row_rsProjectMenu = mysql_fetch_assoc($rsProjectMenu)); $rows = mysql_num_rows($rsProjectMenu); if($rows > 0) { mysql_data_seek($rsProjectMenu, 0); $row_rsProjectMenu = mysql_fetch_assoc($rsProjectMenu); } ?> and this is the query page. Is it possible to put a function over here so that I don't have to update all the str_replace instances if I find a new problem to escape? mysql_select_db($database_conn_org, $conn_org); $query_rsProjectMenu = "SELECT concat(`tblclients`.`ClientName`, ' | ', `projects`.`ProjName`, ' | ', DATE_FORMAT(projects.ProjBegDate, '%m/%d/%Y' ), ' | ', DATE_FORMAT(projects.ProjEndDate, '%m/%d/%Y' ),' | ', `projects`.`projLocation`) AS project, projID FROM `projects` Inner Join contracts ON contracts.contractID = projects.contractID Inner Join tblclients ON contracts.clientID = tblclients.ClientID WHERE COALESCE(projects.Inactive,0) <> 1 ORDER BY `tblclients`.`ClientName` ASC, `projects`.`ProjEndDate` DESC"; $rsProjectMenu = mysql_query($query_rsProjectMenu, $conn_org) or die(mysql_error()); $row_rsProjectMenu = mysql_fetch_assoc($rsProjectMenu); $totalRows_rsProjectMenu = mysql_num_rows($rsProjectMenu); Let me know if that is not making sense... Thanks! -s Quote Link to comment Share on other sites More sharing options...
simon551 Posted June 27, 2007 Author Share Posted June 27, 2007 I think what I neglected to explain is that I plan to re-use this query in multiple drop-downs throughout my site so it would be really helpful to write a function to do all the str-replaces and then just call the function instead of needing to re-write it everywhere. Quote Link to comment Share on other sites More sharing options...
btherl Posted June 28, 2007 Share Posted June 28, 2007 Let me know if that is not making sense... Bingo! Well, some of it makes sense. By "illegal characters" do you mean HTML markup? How exactly do you want to separate it out from the page? For comparison, I would do something like this: $in_data = $_POST['blah']; # Data coming in from user $in_data_escaped = mysql_real_escape_string($in_data); # Escape it for storage in mysql # Then store it in mysql # Later, we fetch it back from mysql.. it will be in the original format as it came from the user. But we want it escaped for safe display $out_data = $row['blah']; # Get it from mysql (assume we did a query earlier) $out_data_display = htmlspecialchars($out_data); # Escape html special characters print $out_data_display; # Safe for display! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.