Yeah thanks for the

greg — Sun, 05 Oct 2008 17:09:51 +0000

Yeah thanks for the correction. It was a quickly typed question.

Quote: Shouldn't

decibel.places — Sun, 05 Oct 2008 14:36:34 +0000

Quote:

Shouldn't mysql_escape put a slash in front of each ", so it would be stored in the db as :
hello /"world/"

just a minor correction/comment:

the example incorrectly uses forward slashes to escape, instead of backslashes. It should be:

"hello \"world\""

While pr0gr4mm3r has explained how to deal with quotes and special characters in PHP, you need to pay close attention to escaped characters working with form input using JavaScript.

pr0gr4mm3r wrote: Nope, the

greg — Sun, 05 Oct 2008 14:08:00 +0000

pr0gr4mm3r wrote:

Nope, the backslash is in the query and it tells MySQL to treat the quotes as a part of a string, and not a string terminator.

yeees. and I had this discussion a while back in this forum...I remember now.

pr0gr4mm3r wrote:

Your HTML probably looked something like this:

<input type="text" name="some_input" value="hello "world""

Your browser takes the first quote before 'world' as the end quote of the string.

It's in php, so this is what it actually is

<?php
echo '<td><input type="text" name="songname['.$song_id.']" maxlength="70" size="70" value="'.$song_name.'"></td>';
?>

So you are correct (again )

Something so simple.. I was ready to go find the the server and strip out its hard drive, and it was basic html knowledge.

Cheers programmer

It is stored in the db

pr0gr4mm3r — Sun, 05 Oct 2008 13:07:00 +0000

It is stored in the db exactly as that. Shouldn't mysql_escape put a slash in front of each ", so it would be stored in the db as...

Nope, the backslash is in the query (you can verify by temporarily echoing it to the browser), and it tells MySQL to treat the quotes as a part of a string, and not a string terminator. There is no need to store that in the database.

No quotes and the word in the quotes also gone (the space is still present after the first word).

Using htmlspecialchars() when you are displaying output from the database will solve that problem. Your HTML probably looked something like this:

<input type="text" name="some_input" value="hello "world""

Your browser takes the first quote before 'world' as the end quote of the string. By using htmlspecialchars(), it will look like this, and display correctly:

<input type="text" name="some_input" value="hello "world"">

Hope this helps.