help with quotes

kpowning

I have a form that a user fills out but if they use ("Hi") with the double quotes nothing is saved in form field named bio. How do i still save their information being submitted including their double quotes?

kpowning

Never mind (htmlspecialchars) needed to be used to show output correctly. I ended up using example:

echo stripslashes(htmlspecialchars($_SESSION['jobinfo'], ENT_QUOTES));

Which will remove any backsplashes from using (') and also will show ("Hi") with double quotes perfectly. I believe this is correct. If any one has any other ways or if this is not correct please let me know.

laserlight

That's not correct. Firstly, you should strip slashes before applying htmlspecialchars(). Next, you should only strip slashes if magic_quotes_gpc is on (and best practice states that it should be off).

As such, you could define:

function stripSlashesIfNeeded($str) {
    return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}

Then use it:

echo htmlspecialchars(stripSlashesIfNeeded($_SESSION['jobinfo']), ENT_QUOTES);

Note that the ENT_QUOTES argument is unnecessary if you use double quotes to delimit HTML attribute values.

kpowning

Thanks for the info. Basically im echoing what the user has submitted in a form. So should I do this on all of the text fields, or basically everything coming from the database that the user can type in? Also get_magic_quotes is ON

kpowning

Also laserlight do you mind looking at my other thread under the coding section if you have time? THANKS

laserlight

Basically im echoing what the user has submitted in a form. So should I do this on all of the text fields, or basically everything coming from the database that the user can type in?

You should use htmlspecialchars() when printing any text that may have unescaped special characters. As such, I suggest using it on all textual data from the database.

Also get_magic_quotes is ON

Ah, but if the setting is changed to reflect good practice, then your scripts can corrupt data unless you use a stripSlashesIfNeeded function as demonstrated.