mysql_real_escape_string($value) help

nikko50

I'm using the below to escape data going into the database. When I check the database field it shows the string prepend with a backslash which is correct right?? So now how do I display the data when I query it? For some reason when I echo the data on the page the string displays only up to the point where the escaped character begins. Say the database field shows "BOBBY AND \"TOMMY" when I print it shows only "BOBBY". Below includes how I'm printing the data.

 foreach ($_POST as $key => $value) { 
    $_POST[$key] = mysql_real_escape_string($value); 
  }

 <td>
      Description:<br>
       <input type="text" onclick="this.select();" value="<?php echo $row['description']; ?>" name="description" class="textfield" size="25">
    </td>

laserlight

When printing, use [man]htmlspecialchars/man.

nikko50

I'm trying to understand why when I print the escaped string to the screen like below the string from the database displays perfect. But when I try print the string in a textfield all the data after the escaped character is chopped off?? Any help would be greatly appreciated.

//this prints perfect
<? echo "$row[description]<br>"; ?>

//this does not
      Description:<br>
       <input type="text" onclick="this.select();" value="<?php echo $row[description]; ?>" name="description" class="textfield" size="25">

laserlight

nikko50 wrote:
I'm trying to understand why when I print the escaped string to the screen like below the string from the database displays perfect. But when I try print the string in a textfield all the data after the escaped character is chopped off?

View source. You would see that you have something like value="hello"world", which would be effectively equivalent to value="hello" (thus '"world' is not displayed). Rather, you want it to be value="hello"world", hence my suggestion that you use htmlspecialchars().

nikko50

Thanks laserlight!

laserlight

You're welcome! Remember to mark this thread as resolved 🙂