Forum Moderators: coopster
echo "<p>You searched for: ".$var."<br>\n";
One of the possible $vars in the form includes a single quote e.g. D'en Something.
when i echo this on to the next page it comes out like
You searched for: D\'en Something
with a backslash.
i have tried using all sorts of html special codes to replace the ' in the <option> tag, but i can't get it to go away.
* i use $var = @$_REQUEST['a'] ; to get the variable
* magic_quotes are on
thanks for help
string stripslashes ( string str)
Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.
CGI is a mystery to me... but you might want to search google for cgi remove slashes or cgi strip slashes...
Alex
$line =~ y/[,'"()<>]//d;
will strip out these unwanted characters from your line
Alex
it was php
and stripslashes works perfectly - doh!
wow, i am constantly amazed by these forums and the willingness to help, that took about 5 minutes to get an answer.
many thanks!
daisho.
this will be my first foray into programming, and now that the script works, i spent most of yesterday looking at possible security issues - mostly to do with checking variable types and / or content using istype and eregi, etc.
is the use of magic quotes also a possible hole?
and something that has been puzzling me is:
i update the database using a textarea and input fields. some of the text is in foreign language with accents and all - and yet php or mysql automatically converts these to their html special codes - is this an automatic feature? is this something to do with magic_quotes?
at the moment i do not use htmlspecialchars anywhere in my script, either for inserting or displaying data?
sorry for convoluted question ;-)
I usually turn it off too. I use htmlentities($str,ENT_QUOTES) instead.
If you are worried about security then you should also consider turning off register_globals (which judging by your code is currently on). It can be a major security hole and most php hosts now turn it off by default.
You would then access the variable from your input by using either $_GET['var'] or $_POST['var'] as appropriate.
(not just a dab hand at css i see :-)
i have register_globals off - that was one of first things i checked after yesterdays' security investigations.
i'll have a look at turning off magic quotes too, as i can imagine in the future it might be more appropriate.
cheers
p.s. any idea how mysql or php automatically converts é to é when reading out data from db? it is a fantastic function but have never read about it anywhere and have done nothing conciously to enable it. just curious.
daisho.
thanks all for help
