A

Anonymous

Question

Confusion with html entities

Forum|Forum|13 years ago
November 6, 2012
1 reply
7165 views

I am POSTING a form to the same page, validating and sanitizing the input then re displaying the page, with preserved user input, if there are any user errors such as missing form items or incorrect formats.

When an error is detected and the page re displays I use :

value="<?php if (isset($_POST['textfield'])) {echo htmlentities($_POST['textfield']);

and

value="<?php if (isset($_POST['textarea'])) {echo htmlentities($_POST['textarea']);

to re display the user input.

My problem occurs when I use single or double quotes in the form, the display shows the equivalent " or ' instead of preserving the quotes from user input.

Perhaps this is correct, it makes sense, but I thought I was doing the right thing by using html entities to redisplay user input? I presume I am not using it correctly or missing something?

I would appreciate any help and advise with this problem

Thank you in advance.

Server side applications

This topic has been closed for replies.

Rob Hecker2

Brainiac

It sounds like you are using the deprecated MySQL connection.

NO ONE SHOULD BE USING THAT ANY LONGER!

Use PDO or MySQLi with prepared statements and parameterized queries to avoid SQL injection attacks.

Then you don't have to concern yourself with quotation marks in the data. Of course you must still validate and sanitize, but you don't need to convert the quotes/appostrophes, and no htmlentities needed.

A

Anonymous

Hi

Thank you for your reply, now I am really confused!

Ok its a while since I did the programming side of my website as I have spent the last 18 months doing the content.

I link to my database using:

require_once('connections/conndelete.php');

require_once('connections/connsearch.php');

require_once('connections/connadd.php');

require_once('connections/connupdate.php');

// with the connections details in the connections file

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

mysql_select_db($database_connsearch, $connsearch);

$query_reMenuBeds = "SELECT * FROM bedtable";

$reMenuBeds = @ mysql_query($query_reMenuBeds, $connsearch);

$row_reMenuBeds = mysql_fetch_assoc($reMenuBeds);

$totalRows_reMenuBeds = mysql_num_rows($reMenuBeds);

Is the above the depreciated code?

Please could you point me in the direction of some information on the best way to amend my code to the prepared statements and parametrized queries that you mention.

Will I still be able to pull the information from my MySQL database?

This has thrown my completely as I though I was almost ready to go online so please could you point me in the right directions to changing my code with the least changes as in PDO or MysQLi which is the nearest to what I have been doing?

Hope you can help me,

I look forward to your reply,

Thank you in advance

Date: Tue, 6 Nov 2012 15:14:30 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

It sounds like you are using the deprecated MySQL connection. NO ONE SHOULD BE USING THAT ANY LONGER! Use PDO or MySQLi with prepared statements and parameterized queries to avoid SQL injection attacks. Then you don't have to concern yourself with quotation marks in the data. Of course you must still validate and sanitize, but you don't need to convert the quotes/appostrophes, and no htmlentities needed.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4828130#4828130

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

Rob Hecker2

Brainiac

Thank you for your reply,

I have been looking that the parameterized variables today so i understand the general concept and the fact that I wouldn't need mysql_real_escape_string.

I will get Davids book and make a start. I am sure I will have more questions in future, I am especially concerned about mysql_num_rows, I use this alot!

Thank you, as always adobe provides the best help even if it is not want you want to hear!

Date: Wed, 7 Nov 2012 11:44:51 -0700

From: forums_noreply@adobe.com

To: linda.barker7@hotmail.com

Subject: Confusion with html entities

Re: Confusion with html entities

created by Rob Hecker2 in Developing server-side applications in Dreamweaver - View the full discussion

Unfortunately it's much more than simply changing the connection. Most of the logic of your queries will be fine, except that you will use parameterized variables instead of placing the variables directly. You will not use mysql_real_escape_string. It won't be needed. I can't help you a lot with mysqli because I only use PDO, so I'm not familiar with the nuances of mysqli. With PDO, there are some significant differences that, for me, were a stumbling block, and there are some things it seems at first you can't do. for instance, there isn't an equivalent of mysql_num_rows, which seems odd until you understand why. The way you sanitize the string is OK. It does use the built-in PHP function, but I still recommend the class described in the Powers book because it gives you the whole process of validating, sanitizing, dealing with errors and making sure that the data that gets into the database has been properly filtered.

Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/4830511#4830511

Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page:

To unsubscribe from this thread, please visit the message page at . In the Actions box on the right, click the Stop Email Notifications link.

Start a new discussion in Developing server-side applications in Dreamweaver by email or at Adobe Community

For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746.

the issue with mysql_num_rows is with PDO, not mysqli, and there is a workaround. You don't lose anything by going to mysqli, but you may have to do some things differently.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded