How can I get these HTML characters to be displayed correctly?

Here's the code that inserts my text, which includes HTML characters:

$quote_question = str_replace('"', '"', trim($_POST['question']));
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
$the_question = mysqli_real_escape_string($cxn, $links_question);

...then I do an insert script and this is working great!

When I go to display what I've inputted, I just do an "echo $_POST['text']" and the link and the text look great.

My problem is when I go to display the question. Although it looks as the though the HTML characters have been inputted correctly, the link will show up as http://localhost/NHBC/fidelis/adm/%22http://www.brucegust.com%22. In other words, the link is being displayed with my localhost URL prior to it.

What am I doing wrong? The info is being inputted in correctly, but I can't make it render accurately when I go to display it.

Thoughts?
Bruce GustPHP DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StingRaYCommented:
Seems like your link surrounded with quotes before htmlspecialchars() to it. Make sure that $_POST['question'] is http://www.brucegust.com (unquoted) not "http://www.brucegust.com" (quoted).
0
Hugh McCurdyCommented:
In case StingRay's solution doesn't work, I suggest you print the variables as you process them to find out what is happening.

echo "POST: "; var_dump ( $_POST ); echo "<br />" . PHP_EOL;
$quote_question = str_replace('"', '&quot;', trim($_POST['question']));
echo "quote_question: $quote_question<br />" . PHP_EOL;
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
echo "links_question: $links_question<br />" . PHP_EOL;
$the_question = mysqli_real_escape_string($cxn, $links_question);
echo "the_question: $the_question<br />" . PHP_EOL;
0
Ray PaseurCommented:
Let me suggest a philosophy that may help you with this.  In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients.  I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser.  Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function.  Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.

In the off-chance that you find unwanted escape characters in your data base, you might want to read this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

HTH, ~Ray
0
darren-w-Commented:
Use prepared statements, this will handle all the escaping for you,

http://php.net/manual/en/pdo.prepare.php
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.