[TYPO3-english] exec_INSERTquery escaping single quotes
Tomaz Zaman
tomaz at optiss.si
Wed Mar 11 17:22:48 CET 2009
Too late for what? :)
And yes i'm seeing that in the DB, my function for writing into the DB
looks something like this:
function updateRecord($record) {
unset($record['update']);
unset($record['create']);
unset($record['Submit']);
unset($record['terms']);
$record['uid'] = $this->piVars['showUid'];
$record['tstamp'] = time();
$record['reviewal'] = '2';
$record['pid'] = '674';
if ($GLOBALS['TYPO3_DB']->exec_UPDATEquery('table','
uid='.intval($record['uid']),$record)) {
return true
}
And my form has input html input fields ($record == $_POST that's why i
have unsetting in):
function theForm($project) {
$content = '<form action="" id="editForm" method="post">
<table id="editTable" style="width:550px">
<tr>
<td>Titel van het onderzoek</td>
<td> <input name="titel" type="text" id="Title"
value="' . $project['title'] . '"/></td>
</tr>
...
So i don't see where the escaping comes from
Xavier Perseguers wrote:
> Hi,
>
>> Hey I'm making a custom extension where user's need to enter some data
>> into input fields. I then use the function exec_INSERTquery to write
>> that data into the database. The problem i'm having is when someone
>> enters something like: Tom's title (notice the ' char).
>>
>> That value gets saved like Tom\'s title into the database and gets
>> displayed like that in the FE.
>
> You are double-escaping your string somewhere. You should not see any
> garbage escaped character such as \' in your database. If you see it
> there, it's already too late!
>
More information about the TYPO3-english
mailing list