NYCPHP Meetup

NYPHP.org

[nycphp-talk] How not to save HTML entities to the DB when using htmlentities()?

Michael B Allen mba2000 at ioplex.com
Sun May 27 17:55:47 EDT 2007


Hi List,

I don't do a lot of websites so pardon me if this is a stupid question.

I am using htmlentities($text, ENT_COMPAT, 'UTF-8'); to escape text from
the db to be displayed in form fields. This works fine but when the text
is saved in the database the entities are saved with it.

For example, if the text in the db is 'Mike & Ike', the form field looks like:

<input type='text' name='foo' value='Mike &amp; Ike'/>

This is displayed correctly but when I submit this to the server it is
saved to the database as 'Mike &amp; Ike'. The next time it is output
in HTML I get:

<input type='text' name='foo' value='Mike &amp;amp; Ike'/>

which is, of course, NOT displayed correctly.

How can I protect my pages from script injection and display content in
form fields correctly?

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/



More information about the talk mailing list