Bogey Posted July 7, 2015 Share Posted July 7, 2015 (edited) Hi all, This is my test.php: <?phpinclude($_SERVER["DOCUMENT_ROOT"]."/config.php"); //Include de config met username en passwords$hostname = 'localhost';$username = $GLOBALS["dbuser"];$password = $GLOBALS["dbpass"];$dbname = $GLOBALS["dbname"];try{$conn = new PDO("mysql:host=$hostname;dbname=$dbname", $username, $password);$sql = "SELECT * FROM " . $GLOBALS["adres"];foreach ($conn->query($sql) as $row){$name = $row['naam'];$street = $row['straat'];}/*** close the database connection ***/$dbh = null;}catch(PDOException $e){echo $e->getMessage();}echo $name;?><table id="table1"><tr><td><font>Name</font></td><td class='tableBracket'>:</td><td><input type='text' value='<?php echo $name;?>'/></td></tr></table> When $row['name'] in database is test's, then I got this: test's Name :test (in textbox) When $row['name'] in database is test"s, then I got this: test"s Name :test"s (in textbox) So the issue is with the ' or " stored in database. I know I has to be with this line value='<?php echo $name;?>' browser wil read is like: value=' test' Replacing the single quote's after value= to double quotes hels, but then it would fail when double quotes are in database. What would you suggestions be? Store it in database like this: test's instead of test's? Edited July 8, 2015 by Bogey Link to comment Share on other sites More sharing options...
justsomeguy Posted July 7, 2015 Share Posted July 7, 2015 I never change the data going into the database, I change the data in the database however I need to when I display the data. You want to save the original data and only change it depending on how you're displaying it. If you HTML-encode everything that goes in the database then it's only good for displaying on HTML, not email or a PDF or however else you might display data.Save the original data, convert as necessary when displaying. Link to comment Share on other sites More sharing options...
Bogey Posted July 7, 2015 Author Share Posted July 7, 2015 (edited) So you would keep/send it to database like: test's and test"s ? Btw first post is now complete... something went wrong when posting it... Edited July 7, 2015 by Bogey Link to comment Share on other sites More sharing options...
justsomeguy Posted July 7, 2015 Share Posted July 7, 2015 Yes, I save the data as it was entered. I save the original data. If they wanted me to save "'" in the database then they would have typed that. Not all data goes in HTML, so I don't escape everything like I'm only going to use it in HTML. When I get the data from the database and I'm getting ready to display it, then I escape it depending on how I'm displaying it (HTML, Javascript, PDF, plain text, etc). Link to comment Share on other sites More sharing options...
Bogey Posted July 8, 2015 Author Share Posted July 8, 2015 Thanks... I go further on that! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now