Posted by Jerry Stuckle on 08/10/07 01:15

Paul Furman wrote:
> mysql_real_escape_string() is apparently chopping off anything that
> follows a quote when I grab the data & put it in a form for editing.
> Sorry if I'm not explaining this properly, I'm pretty confused about
> what's going on but I'm guessing someone recognizes this problem.
>
> I have code like this:
>
> function db_safe($str) {
> $str = addslashes($str);
> return $str;
> }
>
> function html_safe($str) {
> $str = stripslashes($str);
> return $str;
> }
>
> That's on my live server, I'm not sure if magic quotes is on there or I
> forgot to update because my test server version look like:
>
> function db_safe($str) {
> // $str = addslashes($str);
> $str = mysql_real_escape_string($str);
>
>
> Anyways then there's code like this:
>
> if (isset($_REQUEST["submit"])) {
> $latin_name = html_safe($_REQUEST["latin_name"]);
>
>
> if ((isset($_REQUEST["option"])) && ($_REQUEST["option"] ==
> "update")) {
> $id = $_REQUEST["id"];
> $latin_name=db_safe($latin_name);
>
>
> and this is where it's chopping off text after the quote:
>
>
> <form action=.......
> <input type='text' size='57' name='latin_name' value="<?=$latin_name?>">
>
>
>

Check your page source code - you'll probably find it there.

You shouldn't be calling mysql_real_escape_string() on data which is to
be displayed. It should only be called for data you're passing on a
database call.

And if you're going to display it, you should be calling htmlentities as
you display it.

Don't keep the data in your program in either mysql or html encoded
format. Keep the pure string and just massage it as necessary, ie.

<input type='text' size='57' name='latin_name'
value="<?php echo htmlentites($latin_name); ?>">

Also note that I'm not using short tags. Too many hosts have it disabled.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]