0

I am having trouble formatting a string of data to go into an HTML input field. Here's my query:

$sql_active = "SELECT * FROM table WHERE id='$id'";
$result_active = $mysqli->query($sql_active);
$row = mysqli_fetch_array($result_active);
$job_description = stripslashes($row['job_description']);

I then use the $job_description variable to show the information on the page. Later on the page, I've got a hidden form field that I need put the information in as well. So then I do this:

<input type="hidden" name="description" value="<?php echo $mysqli->real_escape_string($job_description); ?>" />

The problem is that when the user first inputs the description field, they can use quotes, double quotes, etc. (whatever they would like). In this one example I've got here, it's not allowing for the information to go past the quotation marks. Its shows up like this:

<input type="hidden" name="description" value="PLEASE NOTE: YOU MUST HAVE EXPERIENCE\r\n\r\nOne of the city\'s best employers. Basic \" handyman\" repair skills preferred. ">

When it hits the first apostrophe, it escapes it but then because the user has used both a apostrophe AND a quotation mark, it gets confused.

Improve this question

1 Answer 1

Reset to default
3

You are COMPLETELY misunderstanding the purpose of escaping. Those functions are PURPOSE specific - and doing an SQL escape sequence is pointless when you're outputting into an HTML context, because HTML does not use SQL-style escapes, nor does SQL use HTML-style escapes. You have the use the appropriate tools for the job at hand. Since you're doing HTML, you need to use htmlspecialchars(), e.g.

<input ... value="<?php echo htmlspecialchars($job_description) ?>" />
                             ^^^^^^^^^^^^^^^^

You'd only use the sql escape stuff when the form is submitted and you're using that submitted data in an SQL context.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ok yeah (obviously I'm relatively new to this). Thanks, that works perfect! (I can accept your answer in five minutes...)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.