[Webdev] escaping quotes in html
Raith Munro
raith at ineffable.co.uk
Fri Aug 3 09:55:45 IST 2001
This is a pain. PHP, MySQL etc. are happy for quotes to be \"escaped\" but
not HTML which is the weak link in this chain. However, if you put the
naughty characters into your text boxes as html entities then you won't
break quotes in the input tag and the browsers will still use the real
characters in the text boxes.
<input type=text name=foo value="This is a "Double Quoted String"
by O'Reilly">
It'll appear in your text box and be returned to PHP (or whatever), as
This is a "Double Quoted String" by O'Reilly
use the PHP function...
$safe_string = htmlspecialchars($dodgy_string, ENT_QUOTES);
to convert some characters that may offend HTML. See htmlspecialchars and
htmlentities in the PHP manual.
Raith
More information about the Webdev
mailing list