20 Jul
2001
20 Jul
'01
4:28 a.m.
Pete wrote
Yes I'm fine thanks I have been very busy, and you?
I am currently very busy (I'm working on a economic draft... at 3:30 am!)
Why is 'htmlspecialchars' used for field
editing?
That's the question! The problem is to suppress the double quotes in the
value statement of an html input tag, but using the 'htmlspecialchars'
function here is not the solution: urlencode is far better (of course you
have to urldecode that string in the script it has been passed to).
[About Benjamin Gandon's message]
------ Fwd ------
The current version (in lib.inc.php3 1.56) is exactly
mine
(without my comments though :)) except one line that was added
and that introduces a bug :
if($last_char == $in_string && $char == ")") $in_string = false;
The bug appears if you try to exec 2 SQL queries like that
(from an uploaded file or directly in the query field because
both are handled by the same code) :
INSERT INTO foo(id, text) VALUES ('1', 'I\'m sure that \')# will cause
a
bug');
INSERT INTO foo(id, text) VALUES ('2',
'Indeed \'); that\'s the case');
Have fun ;)
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
8463
days inactive
8463
days old
0 comments
1 participants
participants (1)
-
Loïc