Escaping text from a query to dynamically build an XML file

Hi,
I’m looking for some help please. I have a mySQL database with text fields that users occasionally put single and double quotes into. I am querying the database to then build an XML file with php for a web page to display. My problem is that the quotes completely screw up the XML feed.

I believe that I need to somehow escape the result of the query to make the results “safe” for the XML on the web page, but I don’t know how I would do that. Can someone please help?

My code looks like this…
[php]

<?php //include db connection settings require_once('Connections/newtest.php'); //include XML Header (as response will be in xml format) header("Content-type: text/xml"); echo('<?xml version="1.0" encoding="utf-8"?>');

//start output of data
echo ‘’;

//output data from DB as XML
$sql = “SELECT testcases.id, testcases.rallystory, testcases.testname, testcases.category, testcases.subcategory FROM testcases”;
$res = mysql_query ($sql);

if($res){
while($row=mysql_fetch_array($res)){
//create xml tag for grid’s row
echo ("<row id=’".$row[‘id’]."’>");
print("");
print("");
print("");
print("");

	print("<cell><![CDATA[".$row['category']."]]></cell>");
	print("<cell><![CDATA[".$row['subcategory']."]]></cell>");
        print("<cell></cell>");
	
	print("</row>");
}

}else{
//error occurs
echo mysql_errno().": “.mysql_error().” at “.LINE.” line in “.FILE.” file
";
}

echo ‘’;

?>
[/php]

Use htmlentities() function to escape special characters:
[php]print("");[/php]

Thanks so much… That did the trick!

Sponsor our Newsletter | Privacy Policy | Terms of Service