where to put htmlspecialchars()

Question

I am using the phpMyDataGird script to edit MySQL database tables through the web without using phpMyAdmin (I just use phpMyAdmin to manage the values but this script to manage the data)

The problem comes when I add HTML to a field. I want to be able to see them as code and not let them transform.

This is an example of how the script looks. If you click on a field you'll be able to edit it. In the first row, second column I wrote <i><b>someone</b></i> and as you can see it's not showing the code but is being bolded and italicized.

This is the main page of the script where I add my MySQL information and change settings, and this main page is connected to a page where all the script is written.

Can anyone take a look at these pages and tell me where to add the htmlspecialchars() call because I have been trying, but it's not working.

Answer 1

If You want to show the HTML special chars only in the grid (and they can stay as they are) try to edit the line 1612 in a 'page' script - that should be a mask function:

        function mask($value,$mask,$datatype,$aselect,$row){
            switch ($datatype){
                    ...
                    default:               
/*1612 line here --> */ return htmlspecialchars($value);
            }
        }

But I'm not sure if this is what You want to achieve...

EDIT: to also save the data in htmlspecialchar formatted value, try to change the line 927 from

$strUpdate = "UPDATE $this->tablename set $value=".magic_quote($nt)." $updWhere Limit 1";

to

$strUpdate = "UPDATE $this->tablename set $value=".htmlspecialchars(magic_quote($nt))." $updWhere Limit 1";

but again, I'm not sure... If this is OK, then You can remove the htmlspecialchars in previous example (line 1612).