Using double quotes in the value of 'input type = "text"' does not work, the line stops with a double quote!

Question

Using double quotes in the value of 'input type = "text"' does not work, the line stops with a double quote!

How can I allow users to use `` '' (double quotation mark) inside the text box ...

Whenever I use a double quote in a field (value), then when I receive a variable in my PHP file:

$text=mysql_real_escape_string($_POST['subject']);

and then repeat it, I get a string that is escaped properly, but the string stops exactly before the double quote!

I don't want him to stop due to a double quote, though!

Javascript is used to validate a text field, so it is not empty, maybe I should do something else with javascript when checking and changing the value so that php can get the correct value, including double quotes?

thanks

UPDATE

CODE:

  $headline= mysql_real_escape_string($_POST['headline']); echo htmlentities($headline);

I tried to merge the two above, will give only the same results. NOTE. I ALSO TRIED adds ENT_QUOTES to the htmlentities function ...

Unformatted string entered:

  + , . ; : - _ space & % ! ? = # * ½ @ / \ [ ]< > " ' hej hej

prints this when it repeats:

  + , . ; : - _ space & % ! ? = # * Â½ @ / \\ [ ]< >

+6

javascript html php

user188962 Nov 20 '09 at 16:56

source share

4 answers

The reason it doesn't work when you output it to input is because value truncated in the quote. You will need to use htmlspecialchars () on the output.

+3

Jeremy logan Nov 20 '09 at 17:03

source share

You mix two things: mysql_real_escape_string used to prepare rows for storage in the mysql database. htmlentities used to prepare strings for echo in the browser. Both are important to do, but you cannot call the same line the same line. Do something like the following:

 // Copy string after escaping for mysql into $db_headline $db_headline= mysql_real_escape_string($_POST['headline']); // Copy string after escaping for page display into $html_headline $html_headline = htmlentities($_POST['headline']); // Store the headline in the database ... ?> <input type="text" name="headline" value="<?php echo $html_headline ?>" /> ...

+2

Frank schmitt Nov 20 '09 at 17:23

source share

JS does not work, to change the input line, the server must make sure that it can accept what it receives independently.

You could avoid double quotes with a different value, either an Assci character or HTML " etc. before passing it to your mysql escape function?

+1

Pete duncanson Nov 20 '09 at 17:00

source share

Franz · Accepted Answer · 2009-11-20T17:00:38+0000

You must use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert quotes to an HTML " . These functions also take care of other characters that need to be encoded.

mysql_real_escape_string() is only for escaping single quotes in database queries, so you can correctly enter single quote strings in your database (and avoid SQL injections).

EDIT: Added parameters. Thanks micahwittman

Using double quotes in the value of 'input type = "text"' does not work, the line stops with a double quote!

More articles: