|
|
Posted by Auddog on 11/14/06 21:20
I'm a little confused on where to place the htmlspecialchar. I have the
following form:
<form name="project" method="post" action="add_project.php">
<p> </p>
<table width="640" border="1" cellpadding="5" style='border-collapse:
collapse'>
<tr>
<td width="606" bgcolor="#CCCCCC"><div align="center"><strong>Create
a Project</strong></div></td>
</tr>
<tr>
<td height="131"><div align="center">
<table width="100%" border="0">
<tr>
<td width="33%"><div align="right">Project Name: </div></td>
<td width="63%"><div align="left">
<input name="pname" type="text" size="25">
</div></td>
</tr>
<tr>
<td><div align="right">Project Description: </div></td>
<td><div align="left">
<input name="pdesc" type="text" size="25">
</div></td>
</tr>
<tr>
<td><div align="right">Active:</div></td>
<td><div align="left">
<input name="active" type="checkbox" id="active" value="yes"
checked>
</div></td>
</tr>
</table>
<input type="submit" name="Submit" value="Submit">
</div></td>
</tr>
</table>
</form>
and when I insert the information into my database, I want to run the
Project Description (pdesc) thru htmlspecialchar. I'm just not sure where
to place the code. Here is my code for the insert:
<?php
include 'config.php';
/*** create a new mysqli object with default database***/
$connection = mysqli_connect($hostname, $username, $password, $dbname) or
die ("Unable to connect");
/*** sql to INSERT a new record ***/
$sql = "INSERT INTO project
(pname, pdesc, active)
values
('$_POST[pname]', '$_POST[pdesc]', '$_POST[active]')";
//excute query
$result = mysqli_query($connection, $sql) or die ("Error in query: $sql.
".mysqli_error());
// close connection
mysqli_close($connection);
header("Location: view_project.php");
exit;
?>
Thanks for any help that you might be able to provide.
A
[Back to original message]
|