[thelist] Double quotes in submitted form data WAS Double quotes ("), PHP & MySQL

Steve Lewis slewis at macrovista.net
Wed Aug 21 11:28:01 CDT 2002


Peter Duchateau wrote:

> <input type="text" name="fname" value="abc"de'fg"">
>
> The browser only displays this value: abc
> which is correct because the value is terminated at the second double qoute.
>
> How can I get this to work ?
I think the magic_quotes and escape_slashes camp is missing the boat on
this problem.

I ran into this bug in ColdFusion first, and I had to create a UDF
(translate as: a function) that preprocesses data fields before I normal
processing of the form fields.  This is part of a 'feature' of browsers
(IE in particular) that transforms HTML Entities into their character
equivalent at page display time when they are used in form fields, and
then submits the character equivalent instead of the HTML entity when
the form is resubmitted... and the behavior you are seeing was pointed
out to me in this context.  When I figured out what was going on, I was
able to see it should apply on the initial submit of data as well.

If you change a double quote to a single quote you are changing the
user's content, and that may change the meaning.

To fix this, you will need to replace the " with the HTML Entity--
&quot; --every time you process a submitted form.  You must preprocess
form data, replacing these characters with their HTML character entity,
before normally processing the submitted data at submit time.  This
means before you insert or update in the database.

I run my UDF on every form element, translated, you would run a similar
function on every element you will find in $_POST.

Below is the CF UDF that I use.  Translation to PHP should be easy enough.

/**
  * Convert the " in form fields to an HTML entity (&quot;)
  *  NOTE: do not process form fields of type FILE or you
  *  will corrupt the file.
  *
  * @param exception_list
  *    list of fieldnames to NOT perform this operation on
  * @param delimiter
  *    delimiter for exception_list
  * @author Steve Lewis (slewis at macrovista.net)
  * @version 1, May 06, 2002
  **/
function convertQuoteToEntity()
{
	//a var for looping
	var i = 1;
	//fieldname
	var name = "";
	// default paramater values
	var exception_list = "";
	var delimiter = ",";
	// refine paramater values
	if (ArrayLen(arguments) GT 0)
	{
		exception_list = arguments[1];
		if (ArrayLen(arguments) GT 1)
		{
			delimiter = arguments[2];
		}
	}
	for(i = 1; i LTE ListLen(form.fieldnames); i = i + 1)
	{
		name = ListGetAt(form.fieldnames, i);
		if (ListFind(exception_list, name, delimiter) EQ 0)
		{
			form[name] = ReplaceNoCase(form[name], '"', '&quot;', 'all');
		}
	}
}
/** end function **/

HTH,

-- Steve




More information about the thelist mailing list