Posted by Hilarion on 10/10/10 11:25

> > [snip]
> > THE PROBLEM: [snip]
> > if I have insert for example a " ' "
> > the field will be filled with " \' " ... IF " \ " then " \\ "
> > If I submit the form again and there are some more errors... \\ becomes \\\
> > and \\\\ and so on...
>
> http://us3.php.net/manual/en/function.urlencode.php
>
> The format of the posted values would be:
> <input type="text" name="field"
> value="<?=urlencode($_POST['field'])?>">

This will not help and it should not be used for <input> values.
"urlencode" is for passing data in the URL (if you construct
the URL in the PHP code). When you want the data to be
properly encoded for attribute values (or you want to output
text "as is" so it's not interpreted as HTML), then you should
use "htmlspecialchars":

<input type="text" name="field"
value="<?php echo htmlspecialchars( $_POST['field'] ); ?>" />

If you are using single quotes to quote attribute values,
then you should also "tell" the function (by using proper
parameters) that it should also encode the single quote char.

You should also strip slashes added by magicquotes_gpc (or
magicquotes_runtime) before using "htmlspecialchars" (see
my previous post inn this topic).


Hilarion

[Back to original message]