[RESOLVED] " and &quot; weirdness

stry_cat

I have a form with a checkbox. The value of the check box is something like "

Blah Blah &quot; Blah &quot; Blah"

(It';s got the htmlentity for the " in the middle of it twice)

Somehow when the form gets submitted, the " becomes a "
I've tried this with both firefox and IE and have the same problem. I'm using PHP5.

in /etc/php.ini I have:
magic_quotes_gpc = Off
magic_quotes_runtime = Off

magic_quotes_sybase = Off

I thought this would mean I shouldn't have any weirdness with quotes.

With the &quote turned into a ", this of course choaks MySQL when I try to put the value into the database. I can't turn it into a " because that will mess up the checkbox html. I can't use htmlentities on $_REQUEST b/c there are other elements which might contain < or > that I don't want converted.

What can I do to make sure the &quote; doesn't get turned into a " when I submit the form.

MarkR

When you're writing an arbitrary string into HTML, be it inside an attribute value or elsewhere, you MUST escape it appropriately (e.g. with htmlspecialchars).

Failure to do this will result in data corruption (e.g. what you're seeing) and potential security / safety vulnerabilities.

Someone who can enter arbitrary HTML code into the page can both stop it working (e.g. accidentially inserting a "> followed by some html tag which ruins the page making it unusable) and inject malicious Javascript code which can steal cookies of users etc.

Mark

MarkR

NB: the value of a checkbox is an HTML attribute therefore needs to be escaped appropriately as one.

You can put any character in and it won't be modified, but of course the attribute needs to be set accordingly. This means that stuff like & needs escaping.

Mark

stry_cat

MarkR wrote:
When you're writing an arbitrary string into HTML, be it inside an attribute value or elsewhere, you MUST escape it appropriately (e.g. with htmlspecialchars).

Ok I think I understand. When I generate the form I run it thru htmlspecialchars. That seems to give the correct values when it is time to stuff it into the DB.

Thanks!