Posted by Paul Furman on 08/10/07 00:14

Michael Fesser wrote:

> .oO(Paul Furman)
>
>>mysql_real_escape_string() is apparently chopping off anything that
>>follows a quote when I grab the data & put it in a form for editing.
>
> It doesn't chop off anything, it's a bug in your output code.
>
>>and this is where it's chopping off text after the quote:
>>
>><form action=.......
>><input type='text' size='57' name='latin_name' value="<?=$latin_name?>">


Ah, thank you!!

The bad field was using single quotes:
value='<?=$common_name?>'>

The good field had double quotes:
value="<?=$common_name?>">


> Two things:
>
> * Don't rely on short open tags, use <?php echo ...?> instead.

Yes, thanks, my code is quite a mess, partly due to collaboration. I
wondered why some were done in that fashion, now I know it's not good
practice.

> * Have a look at the generated HTML source code - it's all there, just
> improperly escaped. When printing anything to an HTML page, use
> htmlspecialchars() to escape those characters that have a special
> meaning in HTML (", &, <, >). If necessary use the ENT_QUOTES flag. See
> the manual for details.
>
> http://www.php.net/htmlspecialchars

Thanks again, it sounds like I should run that in my html_safe()
function along with stripslashes().


--
Paul Furman Photography
http://edgehill.net
Bay Natives Nursery
http://www.baynatives.com

[Back to original message]