[TYPO3-english] exec_INSERTquery escaping single quotes
Tomaz Zaman
tomaz at optiss.si
Wed Mar 11 23:11:31 CET 2009
Found a solution, i was wrong in the first place i was using $_POST
instead of t3lib_div::_POST. Now i replaced it and it works like it should.
Tom
Tomaz Zaman wrote:
> Too late for what? :)
> And yes i'm seeing that in the DB, my function for writing into the DB
> looks something like this:
>
> function updateRecord($record) {
> unset($record['update']);
> unset($record['create']);
> unset($record['Submit']);
> unset($record['terms']);
> $record['uid'] = $this->piVars['showUid'];
> $record['tstamp'] = time();
> $record['reviewal'] = '2';
> $record['pid'] = '674';
>
> if ($GLOBALS['TYPO3_DB']->exec_UPDATEquery('table','
> uid='.intval($record['uid']),$record)) {
> return true
> }
>
>
> And my form has input html input fields ($record == $_POST that's why i
> have unsetting in):
>
> function theForm($project) {
> $content = '<form action="" id="editForm" method="post">
> <table id="editTable" style="width:550px">
>
> <tr>
> <td>Titel van het onderzoek</td>
> <td> <input name="titel" type="text" id="Title"
> value="' . $project['title'] . '"/></td>
> </tr>
>
> ...
>
>
> So i don't see where the escaping comes from
>
> Xavier Perseguers wrote:
>> Hi,
>>
>>> Hey I'm making a custom extension where user's need to enter some
>>> data into input fields. I then use the function exec_INSERTquery to
>>> write that data into the database. The problem i'm having is when
>>> someone enters something like: Tom's title (notice the ' char).
>>>
>>> That value gets saved like Tom\'s title into the database and gets
>>> displayed like that in the FE.
>>
>> You are double-escaping your string somewhere. You should not see any
>> garbage escaped character such as \' in your database. If you see it
>> there, it's already too late!
>>
More information about the TYPO3-english
mailing list