hidden fields containing quotes...

23/01/2008, 11h42

Hi!

I just realised a problem in a system I am doing.
I pass data on in a hidden and a text input, of course with
value="whatever"
The problem happens with
value="whatever is there are " one more?"

How have people solved this?

23/01/2008, 11h50

On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote:

> Hi!
>
> I just realised a problem in a system I am doing.
> I pass data on in a hidden and a text input, of course with
> value="whatever"
> The problem happens with
> value="whatever is there are " one more?"
>
> How have people solved this?

htmlspecialchars($string, ENT_QUOTES);
--
Rik Wasmus

23/01/2008, 11h50

On Wed, 23 Jan 2008 12:50:01 +0100, Rik Wasmus
<luiheidsgoeroe@hotmail.com> wrote:

> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote:
>
>> Hi!
>>
>> I just realised a problem in a system I am doing.
>> I pass data on in a hidden and a text input, of course with
>> value="whatever"
>> The problem happens with
>> value="whatever is there are " one more?"
>>
>> How have people solved this?
>
> htmlspecialchars($string, ENT_QUOTES);

BTW, if you're just learning this now: be sure you're not vulnerable to
XSS attacks!
--
Rik Wasmus

23/01/2008, 11h53

"jodleren" <sonnich@hot.ee> schreef in bericht
news:831a0847-15e7-40bf-b7bb-0fa6e8ba3f2b@d21g2000prf.googlegroups.com...
> Hi!
>
> I just realised a problem in a system I am doing.
> I pass data on in a hidden and a text input, of course with
> value="whatever"
> The problem happens with
> value="whatever is there are " one more?"
>
> How have people solved this?

http://nl2.php.net/manual/en/function.htmlentities.php

23/01/2008, 12h02

Rik Wasmus wrote:
> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote:
>
>> Hi!
>>
>> I just realised a problem in a system I am doing.
>> I pass data on in a hidden and a text input, of course with
>> value="whatever"
>> The problem happens with
>> value="whatever is there are " one more?"
>>
>> How have people solved this?
>
> htmlspecialchars($string, ENT_QUOTES);

Yes. Any strings embedded in forms and form variables that need to use
and display quotes and the like, need expressing in 'proper' HTML.

I am not quite sure how it happens, but these seem in my case to get
magically removed when stuffing into the MySQL database.

I've probably got some magic set up by default ;-)

23/01/2008, 12h15

On Wed, 23 Jan 2008 13:02:45 +0100, The Natural Philosopher <a@b.c> wrote:

> Rik Wasmus wrote:
>> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote:
>>
>>> Hi!
>>>
>>> I just realised a problem in a system I am doing.
>>> I pass data on in a hidden and a text input, of course with
>>> value="whatever"
>>> The problem happens with
>>> value="whatever is there are " one more?"
>>>
>>> How have people solved this?
>> htmlspecialchars($string, ENT_QUOTES);
>
> Yes. Any strings embedded in forms and form variables that need to use
> and display quotes and the like, need expressing in 'proper' HTML.
>
> I am not quite sure how it happens, but these seem in my case to get
> magically removed when stuffing into the MySQL database.
>
>
> I've probably got some magic set up by default ;-)

Nope, just look at the raw POST or GET request. The magic is in the
browser/UA (which is the agent who can actually do something with/use html
entitities).

--
Rik Wasmus

23/01/2008, 12h20

On 23 Jan, 12:02, The Natural Philosopher <a...@b.c> wrote:
> Rik Wasmus wrote:
> > On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonn...@hot.ee> wrote:
>
> >> Hi!
>
> >> I just realised a problem in a system I am doing.
> >> I pass data on in a hidden and a text input, of course with
> >> value="whatever"
> >> The problem happens with
> >> value="whatever is there are " one more?"
>
> >> How have people solved this?
>
> > htmlspecialchars($string, ENT_QUOTES);
>
> Yes. Any strings embedded in forms and form variables that need to use
> and display quotes and the like, need expressing in 'proper' HTML.
>
> I am not quite sure how it happens, but these seem in my case to get
> magically removed when stuffing into the MySQL database.
>
> I've probably got some magic set up by default ;-)

Note to OP: PHP historically tried to fix this with a
'magic_quotes_gpc' setting - which didn't work - so more settings got
added, until everybody agreed the PHP should do its job and the
programmer should do hers. The settings are still there in 5.2 but
should all be switched OFF. If you're really interested have a google
for the long sad story.

Note 2: in HTML and Javascript, you can put double quotes inside
single quotes (where they will be ignored) and vice-versa, but (AFAIK)
you can't *escape* quotes - hence using htmlentities.

HTH

C.

23/01/2008, 15h25

C. (http://symcbean.blogspot.com/) wrote:
> On 23 Jan, 12:02, The Natural Philosopher <a...@b.c> wrote:
>> Rik Wasmus wrote:
>>> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonn...@hot.ee> wrote:
>>>> Hi!
>>>> I just realised a problem in a system I am doing.
>>>> I pass data on in a hidden and a text input, of course with
>>>> value="whatever"
>>>> The problem happens with
>>>> value="whatever is there are " one more?"
>>>> How have people solved this?
>>> htmlspecialchars($string, ENT_QUOTES);
>> Yes. Any strings embedded in forms and form variables that need to use
>> and display quotes and the like, need expressing in 'proper' HTML.
>>
>> I am not quite sure how it happens, but these seem in my case to get
>> magically removed when stuffing into the MySQL database.
>>
>> I've probably got some magic set up by default ;-)
>
> Note to OP: PHP historically tried to fix this with a
> 'magic_quotes_gpc' setting - which didn't work - so more settings got
> added, until everybody agreed the PHP should do its job and the
> programmer should do hers. The settings are still there in 5.2 but
> should all be switched OFF. If you're really interested have a google
> for the long sad story.
>

I ought to check..
> Note 2: in HTML and Javascript, you can put double quotes inside
> single quotes (where they will be ignored) and vice-versa, but (AFAIK)
> you can't *escape* quotes - hence using htmlentities.
>

Found out the hard way here..;-)

The other gotcha was trying to print % signs in a printf
statement..finally remembered its '%%' in that syntax....

God I am so rusty...

> HTH
>
> C.

23/01/2008, 11h42	#1
jodleren Messages: n/a Hébergeur:	hidden fields containing quotes... Hi! I just realised a problem in a system I am doing. I pass data on in a hidden and a text input, of course with value="whatever" The problem happens with value="whatever is there are " one more?" How have people solved this?

23/01/2008, 11h50	#2
Rik Wasmus Messages: n/a Hébergeur:	Re: hidden fields containing quotes... On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote: > Hi! > > I just realised a problem in a system I am doing. > I pass data on in a hidden and a text input, of course with > value="whatever" > The problem happens with > value="whatever is there are " one more?" > > How have people solved this? htmlspecialchars($string, ENT_QUOTES); -- Rik Wasmus

23/01/2008, 11h50	#3
Rik Wasmus Messages: n/a Hébergeur:	Re: hidden fields containing quotes... On Wed, 23 Jan 2008 12:50:01 +0100, Rik Wasmus <luiheidsgoeroe@hotmail.com> wrote: > On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote: > >> Hi! >> >> I just realised a problem in a system I am doing. >> I pass data on in a hidden and a text input, of course with >> value="whatever" >> The problem happens with >> value="whatever is there are " one more?" >> >> How have people solved this? > > htmlspecialchars($string, ENT_QUOTES); BTW, if you're just learning this now: be sure you're not vulnerable to XSS attacks! -- Rik Wasmus

23/01/2008, 11h53	#4
Luuk Messages: n/a Hébergeur:	Re: hidden fields containing quotes... "jodleren" <sonnich@hot.ee> schreef in bericht news:831a0847-15e7-40bf-b7bb-0fa6e8ba3f2b@d21g2000prf.googlegroups.com... > Hi! > > I just realised a problem in a system I am doing. > I pass data on in a hidden and a text input, of course with > value="whatever" > The problem happens with > value="whatever is there are " one more?" > > How have people solved this? http://nl2.php.net/manual/en/function.htmlentities.php

23/01/2008, 12h02	#5
The Natural Philosopher Messages: n/a Hébergeur:	Re: hidden fields containing quotes... Rik Wasmus wrote: > On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote: > >> Hi! >> >> I just realised a problem in a system I am doing. >> I pass data on in a hidden and a text input, of course with >> value="whatever" >> The problem happens with >> value="whatever is there are " one more?" >> >> How have people solved this? > > htmlspecialchars($string, ENT_QUOTES); Yes. Any strings embedded in forms and form variables that need to use and display quotes and the like, need expressing in 'proper' HTML. I am not quite sure how it happens, but these seem in my case to get magically removed when stuffing into the MySQL database. I've probably got some magic set up by default ;-)

23/01/2008, 12h15	#6
Rik Wasmus Messages: n/a Hébergeur:	Re: hidden fields containing quotes... On Wed, 23 Jan 2008 13:02:45 +0100, The Natural Philosopher <a@b.c> wrote: > Rik Wasmus wrote: >> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonnich@hot.ee> wrote: >> >>> Hi! >>> >>> I just realised a problem in a system I am doing. >>> I pass data on in a hidden and a text input, of course with >>> value="whatever" >>> The problem happens with >>> value="whatever is there are " one more?" >>> >>> How have people solved this? >> htmlspecialchars($string, ENT_QUOTES); > > Yes. Any strings embedded in forms and form variables that need to use > and display quotes and the like, need expressing in 'proper' HTML. > > I am not quite sure how it happens, but these seem in my case to get > magically removed when stuffing into the MySQL database. > > > I've probably got some magic set up by default ;-) Nope, just look at the raw POST or GET request. The magic is in the browser/UA (which is the agent who can actually do something with/use html entitities). -- Rik Wasmus

23/01/2008, 12h20	#7
C. (http://symcbean.blogspot.com/) Messages: n/a Hébergeur:	Re: hidden fields containing quotes... On 23 Jan, 12:02, The Natural Philosopher <a...@b.c> wrote: > Rik Wasmus wrote: > > On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonn...@hot.ee> wrote: > > >> Hi! > > >> I just realised a problem in a system I am doing. > >> I pass data on in a hidden and a text input, of course with > >> value="whatever" > >> The problem happens with > >> value="whatever is there are " one more?" > > >> How have people solved this? > > > htmlspecialchars($string, ENT_QUOTES); > > Yes. Any strings embedded in forms and form variables that need to use > and display quotes and the like, need expressing in 'proper' HTML. > > I am not quite sure how it happens, but these seem in my case to get > magically removed when stuffing into the MySQL database. > > I've probably got some magic set up by default ;-) Note to OP: PHP historically tried to fix this with a 'magic_quotes_gpc' setting - which didn't work - so more settings got added, until everybody agreed the PHP should do its job and the programmer should do hers. The settings are still there in 5.2 but should all be switched OFF. If you're really interested have a google for the long sad story. Note 2: in HTML and Javascript, you can put double quotes inside single quotes (where they will be ignored) and vice-versa, but (AFAIK) you can't escape quotes - hence using htmlentities. HTH C.

23/01/2008, 15h25	#8
The Natural Philosopher Messages: n/a Hébergeur:	Re: hidden fields containing quotes... C. (http://symcbean.blogspot.com/) wrote: > On 23 Jan, 12:02, The Natural Philosopher <a...@b.c> wrote: >> Rik Wasmus wrote: >>> On Wed, 23 Jan 2008 12:42:07 +0100, jodleren <sonn...@hot.ee> wrote: >>>> Hi! >>>> I just realised a problem in a system I am doing. >>>> I pass data on in a hidden and a text input, of course with >>>> value="whatever" >>>> The problem happens with >>>> value="whatever is there are " one more?" >>>> How have people solved this? >>> htmlspecialchars($string, ENT_QUOTES); >> Yes. Any strings embedded in forms and form variables that need to use >> and display quotes and the like, need expressing in 'proper' HTML. >> >> I am not quite sure how it happens, but these seem in my case to get >> magically removed when stuffing into the MySQL database. >> >> I've probably got some magic set up by default ;-) > > Note to OP: PHP historically tried to fix this with a > 'magic_quotes_gpc' setting - which didn't work - so more settings got > added, until everybody agreed the PHP should do its job and the > programmer should do hers. The settings are still there in 5.2 but > should all be switched OFF. If you're really interested have a google > for the long sad story. > I ought to check.. > Note 2: in HTML and Javascript, you can put double quotes inside > single quotes (where they will be ignored) and vice-versa, but (AFAIK) > you can't escape quotes - hence using htmlentities. > Found out the hard way here..;-) The other gotcha was trying to print % signs in a printf statement..finally remembered its '%%' in that syntax.... God I am so rusty... > HTH > > C.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email