Welcome to WebmasterWorld Guest from 184.108.40.206
echo "<p>You searched for: ".$var."<br>\n";
One of the possible $vars in the form includes a single quote e.g. D'en Something.
when i echo this on to the next page it comes out like
You searched for: D\'en Something
with a backslash.
i have tried using all sorts of html special codes to replace the ' in the <option> tag, but i can't get it to go away.
* i use $var = @$_REQUEST['a'] ; to get the variable
* magic_quotes are on
thanks for help
string stripslashes ( string str)
Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.
CGI is a mystery to me... but you might want to search google for cgi remove slashes or cgi strip slashes...
this will be my first foray into programming, and now that the script works, i spent most of yesterday looking at possible security issues - mostly to do with checking variable types and / or content using istype and eregi, etc.
is the use of magic quotes also a possible hole?
and something that has been puzzling me is:
i update the database using a textarea and input fields. some of the text is in foreign language with accents and all - and yet php or mysql automatically converts these to their html special codes - is this an automatic feature? is this something to do with magic_quotes?
at the moment i do not use htmlspecialchars anywhere in my script, either for inserting or displaying data?
sorry for convoluted question ;-)
I usually turn it off too. I use htmlentities($str,ENT_QUOTES) instead.
If you are worried about security then you should also consider turning off register_globals (which judging by your code is currently on). It can be a major security hole and most php hosts now turn it off by default.
You would then access the variable from your input by using either $_GET['var'] or $_POST['var'] as appropriate.
(not just a dab hand at css i see :-)
i have register_globals off - that was one of first things i checked after yesterdays' security investigations.
i'll have a look at turning off magic quotes too, as i can imagine in the future it might be more appropriate.
p.s. any idea how mysql or php automatically converts é to é when reading out data from db? it is a fantastic function but have never read about it anywhere and have done nothing conciously to enable it. just curious.