Near the bottom of this sample script, within the for loop, the second echo line uses the htmlspecialchars, but for whatever reason, it is not converting the special characters to html entities. I also tried testing just that one line in a script all by itself using a literal string, and it works as expected
The script is taking a search term, to find a row within a MySQL database and displays the result. The search word I use is "Java", and the field containing the word is "<Java> 2 for Professional Developers". It returns the complete literal string, without any conversion?
<?php
// create short variable names
$searchtype = $_POST['searchtype'];
$searchterm = $_POST['searchterm'];
$searchterm = trim($searchterm);
if (!$searchtype or !$searchterm)
{
echo 'You have not entered search details. Please go back and try again.';
exit;
}
if (!get_magic_quotes_gpc())
{
$searchtype = addslashes($searchtype);
$searchterm = addslashes($searchterm);
}
@$db = new mysqli('localhost', 'abc', '123', 'books');
if (mysqli_connect_errno())
{
echo 'Error: Could not connect to database. Please try again later.';
exit;
}
$query = "select * from books where " . $searchtype . " like '%" . $searchterm . "%'";
$result = $db->query($query);
$num_results = $result->num_rows;
echo '<p>Number of books found: ' . $num_results . '</p>';
for ($i=0; $i < $num_results; $i++)
{
$row = $result->fetch_assoc();
echo '<p><strong>' . ($i+1) . '. Title: ';
echo htmlspecialchars(stripslashes($row['title']));
echo '</strong.<br />Author: ';
echo stripslashes($row['author']);
echo '<br />ISBN: ';
echo stripslashes($row['isbn']);
echo '<br />Price: ';
echo stripcslashes($row['price']);
echo '</p>';
}
$result->free();
$db->close();
?>
