[RESOLVED] php mysql href input text issues

[Static]

lol.. not sure how to word the title!

Ok, If I store HTML in the database, specifically a href link

Code:

<a href="blah.com">click</a>

i am trying to pull it back out to an input text field, but since it has the " s its screwing up the html

Code:

<input type="text" name="msg_' . $row['UID'] . '" value="' . stripslashes($row['MSG']) . '" size="75" maxsize="100" />

i tried the addslashes/stripslashes... but it doesnt help?

[kows]

htmlentities()

[penagate]

Rule of thumb: If you're using addslashes and stripslashes, you probably shouldn't be.

[Static]

care to elaborate Mr. penagate?

the reason I am using them is that I have some things like "news items" and gift descriptions that need to be edited. When pulling them from the database and setting the value of a textbox, what if the is a ' in it? or " , etc?

examples are always greatly appreciated


looking at the htmlentities... I cant see how it would work? fine, it converts to ' etc... but when loading that into a text, converting it back will be the same issue? wont it?

wait.... textarea will fix the whole thing wont it.

Edit:
Yes, it works fine with add/strip slashes.. tell me why I shouldnt use it?

Edit again:
Im answering my own questions... ok, im seeing how this is safer

thanks!

[kows]

htmlentities() will convert all of the HTML entities (ampersands, quotes, etc) in the text to their HTML equivalent (&, ", etc). if you absolutely need to reverse this, you can use html_entity_decode().

using addslashes() or stripslashes() is ... useless? you can't "escape" the attribute values of HTML tags like you're trying to. and if your data is in a database already and you're retrieving it, then you don't need to worry about stripping any slashes or adding any. the only thing I could even think of that you might use it for is data entry for a database, and if you're using these functions to do that then you should definitely STOP. use mysql_real_escape_string() instead, or use prepared SQL statements if you using PDO or MySQLi.

[Static]

Im seeing that. I was using it because when printing it back to the page inside the value="..." part of a text input, the " and ' were messing it up. But, using the textarea + the htmlentities() works like a charm!

Thanks!

[kows]

you can actually just use a regular <input> and htmlentities(), but if you actually need a <textarea> then I guess that works too.

[Static]

I tried using regular input text , but since the html code had "s in it, it was messing up my code when using echo.

[kows]

I'm not sure how, but it sounds like you were just using it wrong. A textarea ignores quotes in the first place. anyway, the proper way to use this function (I hope you looked at the examples on PHP.net, too):

PHP Code:

<?php
  $myvar = 'this text has """" lots of double quotes!';
?>
<input type="text" value="<?php echo $myvar; ?>" />

<!--
  this will obviously output the following, which will break the <input>'s value attribute:
  <input type="text" value="this text has """" lots of double quotes!" />
-->

<input type="text" value="<?php echo htmlentities($myvar); ?>" />

<!--
  however, this will output properly formatted text instead, and will not break:
  <input type="text" value="this text has &quot;&quot;&quot;&quot; lots of double quotes!" />
-->

hope that helps!