Good afternoon everyone!
Someone please explain to me, the unlucky one, how to correctly display the value from the mysql database, if part of it is enclosed in quotes. Here is a specific case. In the database, in one of the rows, in the “org_name” column, there is an entry: OJSC “Rostelecom”. There is a place in the php script where you need to display this entry, namely:
<input type="text" name="ORG_NAME" value="'.$row['org_name'].'">
As a result, OJSC is entered as the value in the form, and Rostelecom is lost… How can this be overcome?
Answer 1, authority 100%
See function htmlspecialchars()
That is, in your example it will be completely like this:
<input type="text" name="ORG_NAME" value="' . htmlspecialchars($row['org_name']) .'">
And that’s what’s important. Generally speaking, you should pass through this function not only “the value enclosed in quotes”, but in general all strings that can potentially contain quotes, ampersands, and greater than and less signs.
And if you didn’t put this value into the database yourself, but accepted it from user input, then immediately “hello, XSS”.