[thelist] Double quotes in submitted form data WAS Double quotes ("), PHP & MySQL
Peter Duchateau
peter at duo.be
Wed Aug 21 11:40:08 CDT 2002
My problem was solved by using :
<input type="text" name="fname" value="<?= htmlspecialchars($name); ?>">
Instead of
<input type="text" name="fname" value="<?= $name; ?>">
" becomes " and all seems fine.
Peter
on 21-08-2002 18:33, Steve Lewis at slewis at macrovista.net wrote:
> Peter Duchateau wrote:
>
>> <input type="text" name="fname" value="abc"de'fg"">
>>
>> The browser only displays this value: abc
>> which is correct because the value is terminated at the second double qoute.
>>
>> How can I get this to work ?
> I think the magic_quotes and escape_slashes camp is missing the boat on
> this problem.
>
> I ran into this bug in ColdFusion first, and I had to create a UDF
> (translate as: a function) that preprocesses data fields before I normal
> processing of the form fields. This is part of a 'feature' of browsers
> (IE in particular) that transforms HTML Entities into their character
> equivalent at page display time when they are used in form fields, and
> then submits the character equivalent instead of the HTML entity when
> the form is resubmitted... and the behavior you are seeing was pointed
> out to me in this context. When I figured out what was going on, I was
> able to see it should apply on the initial submit of data as well.
>
> If you change a double quote to a single quote you are changing the
> user's content, and that may change the meaning.
>
> To fix this, you will need to replace the " with the HTML Entity--
> " --every time you process a submitted form. You must preprocess
> form data, replacing these characters with their HTML character entity,
> before normally processing the submitted data at submit time. This
> means before you insert or update in the database.
>
> I run my UDF on every form element, translated, you would run a similar
> function on every element you will find in $_POST.
>
> Below is the CF UDF that I use. Translation to PHP should be easy enough.
>
> /**
> * Convert the " in form fields to an HTML entity (")
> * NOTE: do not process form fields of type FILE or you
> * will corrupt the file.
> *
> * @param exception_list
> * list of fieldnames to NOT perform this operation on
> * @param delimiter
> * delimiter for exception_list
> * @author Steve Lewis (slewis at macrovista.net)
> * @version 1, May 06, 2002
> **/
> function convertQuoteToEntity()
> {
> //a var for looping
> var i = 1;
> //fieldname
> var name = "";
> // default paramater values
> var exception_list = "";
> var delimiter = ",";
> // refine paramater values
> if (ArrayLen(arguments) GT 0)
> {
> exception_list = arguments[1];
> if (ArrayLen(arguments) GT 1)
> {
> delimiter = arguments[2];
> }
> }
> for(i = 1; i LTE ListLen(form.fieldnames); i = i + 1)
> {
> name = ListGetAt(form.fieldnames, i);
> if (ListFind(exception_list, name, delimiter) EQ 0)
> {
> form[name] = ReplaceNoCase(form[name], '"', '"', 'all');
> }
> }
> }
> /** end function **/
>
> HTH,
>
> -- Steve
More information about the thelist
mailing list