func_get_args splits on double quotes ruins form input
Permalink
I'm building a single page / controller that interacts with the database and ran into a snag.
Within the single page I am using the Form helper library and putting down a text input field like so:
On the controller, within the view function, I am setting the variable like this:
This works wonderfully until I try to work with inputs containing any double quotes " .
No matter what I try, if there are any double quotes, escaped or not, within that address_1 field, the string is split into two arguments, the first being being assigned to the inputs "value", the second, after the first double quote, being added as an additional parameter within the tag.
Lets say the DB contains the following string within the field:
This is a \"simple\" string
The html output of my single page will look like so:
I've tried using ADODB's $db->qstr method to sanitize the input into the database, and I've tried PHP's addslahses() to escape the data, but no joy.
Looking at the Helper file, It appears that PHP's function func_get_args might be doing the damage, but I have looked around and no one else has seemed to mention that as a problem.
I'm beginning to think I screwed something up somewhere.
Any help would be much appreciated.
Within the single page I am using the Form helper library and putting down a text input field like so:
On the controller, within the view function, I am setting the variable like this:
$query = "SELECT * FROM clients WHERE client_id='{$u->getUserID()}'"; $client_info = $db->getAll($query); $this->set('address_1', $client_info[0][address_1]);
This works wonderfully until I try to work with inputs containing any double quotes " .
No matter what I try, if there are any double quotes, escaped or not, within that address_1 field, the string is split into two arguments, the first being being assigned to the inputs "value", the second, after the first double quote, being added as an additional parameter within the tag.
Lets say the DB contains the following string within the field:
This is a \"simple\" string
The html output of my single page will look like so:
<input type="text" class="ccm-input-text" string="" simple\="" value="This is a \" name="address_1" id="address_1">
I've tried using ADODB's $db->qstr method to sanitize the input into the database, and I've tried PHP's addslahses() to escape the data, but no joy.
Looking at the Helper file, It appears that PHP's function func_get_args might be doing the damage, but I have looked around and no one else has seemed to mention that as a problem.
I'm beginning to think I screwed something up somewhere.
Any help would be much appreciated.
I suppose I could just convert all double quotes to single quotes upon input to the database, but it just seems there should be a way to retain those double quotes. Anybody have any input? Is my predicament clear?
I haven't tested this, but off the top of my head -- rather than addslashes() try htmlentities().
I'll give that a shot. Thanks!
Well, no dice unfortuantely. Same result with the htmlentities function.
Well I just tried it and it worked OK for me. Are you sure you're doing it in the right place?
