I try to make a editor for a job offer. It must have a preview function. There are 2 form. First form submits the preview, the second one appears when the preview is there and sends the variables to save them in the database. The problem is, that when the second form get submitted, all quotes disappear. I tryed mysql_real_escape_string, htmlspecialchars, htmlentitles, but nothing works. Do you got an idea where the problem is? Could it be that there's a problem, because I use the variable '$content' to store the site's content, instead to make a direct output with 'echo'? Thanks!
<td><input style='float:left;' type='submit' name='jobpreview' value='preview' />
</form>";
if(isset($_GET['preview']))
{
$_POST['titel'] = htmlentities($_POST['titel']);
$_POST['elm1'] = htmlentities($_POST['elm1']);
$content .= " <td><form action='?s=intern&sub=neuerjob&preview' method='POST'>
<input type='hidden' name='titel' value='".$_POST['titel']."' />
<input type='hidden' name='elm1' value='".$_POST['elm1']."' />
<input style='float:left;' type='submit' name='jobsave' value='save' />
</form></td></tr></table>";
}
You need to use the second parameter to htmlentities() to encode the quotes.
$titel = htmlentities($_POST['titel'], ENT_QUOTES);
$elm1 = htmlentities($_POST['elm1'], ENT_QUOTES);
<input type='hidden' name='titel' value='".$titel."' />
<input type='hidden' name='elm1' value='".$elm1."' />
For this purpose, htmlentities() is overkill though, and you can use htmlspecialchars()
also with the ENT_QUOTES param.
$titel = htmlspecialchars($_POST['titel'], ENT_QUOTES);
$elm1 = htmlspecialchars($_POST['elm1'], ENT_QUOTES);