Skip to main content
A
Anonymous
November 6, 2012
Question

Confusion with html entities

  • November 6, 2012
  • 1 reply
  • 7182 views

I am POSTING a form to the same page, validating and sanitizing the input then re displaying the page, with preserved user input,  if there are any user errors such as missing form items or incorrect formats.

When an error is detected and the page re displays I use :

value="<?php if (isset($_POST['textfield'])) {echo htmlentities($_POST['textfield']);

and

value="<?php if (isset($_POST['textarea'])) {echo htmlentities($_POST['textarea']);

to re display the user input.

My problem occurs when I use single or double quotes in the form, the display shows the equivalent &#34; or &#39; instead of preserving the quotes from user input.

Perhaps this is correct, it makes sense, but I thought I was doing the right thing by using html entities to redisplay user input? I presume I am not using it correctly or missing something?

I would appreciate any help and advise with this problem

Thank you in advance.

This topic has been closed for replies.

1 reply

Rob Hecker2
Rob Hecker2
Legend
November 6, 2012

It sounds like you are using the deprecated MySQL connection.

NO ONE SHOULD BE USING THAT ANY LONGER!

Use  PDO or MySQLi with prepared statements and parameterized queries to avoid SQL injection attacks.

Then you don't have to concern yourself with quotation marks in the data. Of course you must still validate and sanitize, but you don't need to convert the quotes/appostrophes, and no htmlentities needed.

A
Anonymous
November 7, 2012

Hi

Thank you for your reply, now I am really confused!

Ok its a while since I did the programming side of my website as I have spent the last 18 months doing the content.

I link to my database using:

require_once('connections/conndelete.php');

require_once('connections/connsearch.php');

require_once('connections/connadd.php');

require_once('connections/connupdate.php');

// with the connections details in the connections file

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

}

mysql_select_db($database_connsearch, $connsearch);

$query_reMenuBeds = "SELECT * FROM bedtable";

$reMenuBeds = @ mysql_query($query_reMenuBeds, $connsearch);

$row_reMenuBeds = mysql_fetch_assoc($reMenuBeds);

$totalRows_reMenuBeds = mysql_num_rows($reMenuBeds);

Is the above the depreciated code?

Please could you point me in the direction of some information on the best way to amend my code to the prepared statements and parametrized queries that you mention.

Will I still be able to pull the information from my MySQL database?

This has thrown my completely as I though I was almost ready to go online so please could you point me in the right directions to changing my code with the least changes as in PDO or MysQLi which is the nearest to what I have been doing?

Hope you can help me,

I look forward to your reply,

Thank you in advance

Date: Tue, 6 Nov 2012 15:14:30 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

It sounds like you are using the deprecated MySQL connection. NO ONE SHOULD BE USING THAT ANY LONGER! Use PDO or MySQLi with prepared statements and parameterized queries to avoid SQL injection attacks. Then you don't have to concern yourself with quotation marks in the data. Of course you must still validate and sanitize, but you don't need to convert the quotes/appostrophes, and no htmlentities needed.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4828130#4828130

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Rob Hecker2
Rob Hecker2
Legend
November 7, 2012

Will I still be able to pull the data from my mysql database?

Absolutely. These are just three different ways to connect to the database. The database doesn't change.

I use PDO exclusively, but the closest to the original MySQL connection is MySQLi. Between PDO and Mysqli, one is not better than the other, but you may find it easier to switch to mysqli.

Is the function you included the way you validate and sanitize data? You need to improve on that. So yes, all that code needs to be completely rewritten.

There are probably some good mysqli tutorials and books, but I don't know of them. The second edition of PHP solutions by Powers gives code examples in both PDO and Mysqli. PHP Object Oriented Solutions, also by Powers, includes a very good validation class and instructions on using it to validate/sanitize form data (chapter 4 - alone worth the price of the book.)

You don't have to change your whole website over at once. You can even run a PDO/Mysqli connection and a mysql_query() on the same page. But eventually you want to weed out all the mysql-query calls.

This will be a lot of work and learning for you, but the result will be better, more secure code. Once you are comfortable with PDO or mysqli you will discover useful features they offer that mysql_query does not.

You should be using recent version of mysql and PHP. I believe mysql 5 and PHP 5.2, but I'm not positive.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices