NYCPHP Meetup

NYPHP.org

[nycphp-talk] How not to save HTML entities to the DB when using htmlentities()?

Rolan Yang rolan at omnistep.com
Sun May 27 18:07:17 EDT 2007


Maybe you're looking for something like:

mysql_query("insert into mytable (`tablekey`,`rowvalue`)
values 
(NULL,'".mysql_real_escape_string(html_entity_decode($datafrompage))."'");

You shouldn't have to do the html_entity_decode though. I think you're 
double converting it somewhere.

~Rolan



Michael B Allen wrote:
> Hi List,
>
> I don't do a lot of websites so pardon me if this is a stupid question.
>
> I am using htmlentities($text, ENT_COMPAT, 'UTF-8'); to escape text from
> the db to be displayed in form fields. This works fine but when the text
> is saved in the database the entities are saved with it.
>
> For example, if the text in the db is 'Mike & Ike', the form field looks like:
>
> <input type='text' name='foo' value='Mike &amp; Ike'/>
>
> This is displayed correctly but when I submit this to the server it is
> saved to the database as 'Mike &amp; Ike'. The next time it is output
> in HTML I get:
>
> <input type='text' name='foo' value='Mike &amp;amp; Ike'/>
>
> which is, of course, NOT displayed correctly.
>
> How can I protect my pages from script injection and display content in
> form fields correctly?
>
> Mike
>
>   



More information about the talk mailing list