Magic Quotes &amp; Forms

Magic Quotes & Forms

degauss

I'm trying to pass the following string in a textarea.

You're

"Hello"

After the form is submitted, the above gets put into a hidden field as

<input type=\"hidden\" name=\"blah\" value=\"You\'re

\"Hello\"">

And when i submit this form, it should drop it into the database.

BUT!

PHP is helpfully COMPLETELY REMOVING "Hello", so the sql statement looks like the following...

update news set headline='Hey', article='Blah You\\'re \', date='0000-00-00 00:00:00' where n_id='13'

Can anyone give an explanation on why this is happening? Or is PHP just being an ass today?

matto

i think the browser removes everything after the line break, not php.

try to encode it before storing it in a hidden input:
$data = urlencode($data);

before writing to the db, urldecode() it.

hope this works.

Anon

You don't need the escape slashes if your form is in HTML.

I would try:

$blah = stripslashes($blah);

Essentially, you wan't the info in the form to appear just like a user just typed it in. MySQL will handle quotes no problem, but the slashes that are being added are confusing the issue.

Give it a shot - no promises mind 'cause I've not had the chance to double-check 😉

good luck

degauss

Thanks for the help guys 🙂

I tried both solves, but they both kind of bombed out, still giving not returning text properly.

So i thought for a bit, and realised that since it was being returned okay on the first pass (ie: immediately after the user would have pressed submit) then the sql statement would work fine.

I removed the preview case and BAM it worked!

For some reason, PHP seems to enjoy adding slashes FAR too much for it's own good 😉

Anon

ok, to maintain the line breaks AND remove any dodgy code that might hack it's way in(one way at least):

$blah = nl2br(htmlspecialchars("$blah"));

then, if you are displaying the info again in a form field, use:

$blah = eregi_replace('<br />',"",'$blah');
$blah = eregi_replace('<BR />',"",'$blah');

Sounds like you've got it sorted anyway, but just thought I'd add an alternative 🙂

Anon

try to change all spaces to %20 ?

$text=ereg_replace(" ","%20",$text);

matto is rigth. browser delete variables all words after space. so you must change to %20 (equal to space) all your spaces :-)