CodeIgniter Forums

Full Version: database INSERT and UPDATE converts symbols to html code
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I believe its browser security to avoid breaking forms, the characters are escaped. For example, cant do <textarea><p></p></textarea>. The p tags have to be escaped before displaying the form. I've had some success with the following although I wish a security expert can shed some light about this practice:

The first code is in the controller and the second code is in the view file (html):

Code:
$data['entry_content']         = htmlspecialchars_decode($entry[0]['content']);



Code:
$parameters1 = array(
        'name'            => 'entry_content',
        'maxlength'        => '5000',
        'rows'            => 13,
        'value'            => htmlspecialchars_decode(set_value('entry_content',$entry_content),ENT_QUOTES),
        'id'            => 'maintxt'
    );
You're not supposed to decode something you've just encoded yourself, just don't encode in the first place. set_value() allows that, look at the link I gave in my last post.
Thank you, Narf! I didn't have that third parameter of set_value set to FALSE. Problem solved for the edit registration form, where the values are coming from the database.
PHP Code:
    'value' => set_value('last_name'$client->last_nameFALSE
did the trick.

But in the original form, after the form validation error messages are posted, and I have the form inputs retaining state using this code
PHP Code:
$attributes = array(
        
'id' => 'last_name',
        
'name' => 'last_name',
        
'value' => set_value('last_name')
    );
    echo 
form_input($attributes); 
how do I add that third parameter, when there is no default value given for the second parameter?

I tried
PHP Code:
'value' => set_value('last_name'NULLFALSE
and it seemed to work. Is this correct?
(03-11-2016, 11:59 AM)Narf Wrote: [ -> ]You're not supposed to decode something you've just encoded yourself, just don't encode in the first place. set_value() allows that, look at the link I gave in my last post.

Done, but when I edit a post, the &lt; lessthan sign is escaped in the form input and the HTML source doesnt show the quotes/single quotes as escaped.
Pages: 1 2