I have an application I am working on that allows users to enter a description into a form and submit it to our MYSQL database.
I send the entered information through stripslashes (because of magic quotes being enabled), then we send it through mysql_real_escape_string() so it is safe for the Database.
That works well.
BUT
I have an edit form that Administrators are supposed to use in order to correct information if the user calls in. The problem is I select the information out of the database and populate the fields in the form with the value that is in the database like so -
PRINT("
<input type = 'text' name = 'description' value = '$userObject->description'>
");
Now, we have noticed this problem that is driving us nuts. If the information from the database is:
Children's Hospital
The database stores it as
The Children/'s Hospital
(Like it should be)
I use this to strip out the slashes -
$userObject->description = stripslashes($userObject->description);
BUT....
The form displays it as : The Children (with nothing else there)
This is due to the quote that is in the string after children
How do I overcome this? I need it to display the quote in the field for accuracy. I have tried this as well -
$userObject->description = htmlentities($userObject->description);
AS WELL AS
$userObject->description = htmlspecialchars($userObject->description);
Any suggestions?
