Hi Jocelyn!
In this case, why not trying : $variable=preg_replace("/&#/","&#",$variable); I think it's a good turnaround for the < and > problem.
Well that's not really the problem: using 'htmlspecialchars' each time a field value is passed by url or by a form means that (from the php manual): '&' (ampersand) becomes '&' '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. ''' (single quote) becomes ''' only when ENT_QUOTES is set. '<' (less than) becomes '<' '>' (greater than) becomes '>'
As you can see the result is that, depending on some configuration settings (first annoyance), cetrains values will contain '&#', others '&' only.
But there is a second problem: if you submit from the dedicated textarea the query: "DELETE from a_table WHERE a_field = '<test>'" .... it won't be applied the 'htmlspecialchars' function, but the hidden field defines in the same form does!
So a patch for the problem we are facing must take into account the way the query has been submitted.
Here is the scheme of what has to be done :
1. since...: - ... the only problem with these html special characters is actually the double quotes when they are contained in the value of a form input... - ... and ENT_NOQUOTES may be set... ... no long use htmlspecialchars but "str_replace('"', '"', $the_value)" and this only if $the_value is used as the value of a form input.
2. When 'sql.php3' is run and for each of the variables this script is sent, detect if the variable has been submitted as a predefined value of a form and, in this case, do a "str_replace('"', '"', $the_value)" to use this value in the SQL query.
As you may imagine, that's not so trivial to do!
Loïc
______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif
-
Loïc