quotes messing up script, from mysql table

i made a script to add to a database, but when i add a description with ( " ) quotes, it messes everything up,

all it is is a form adding to mysql table, or updating, and when its pulled up into the page, the quotes mess with the script,,

when i go to admin page, it messed up, but works ok with quotes in another page i use for categories,,,

I can't tell without seeing the code,but usually when you want to add quotes in text you have to put a backslash in front of them:

ex: echo" "Hello World" ";

I can't tell without seeing the code,but usually when you want to add quotes in text you have to put a backslash in front of them:

ex: echo" "Hello World" ";

sorry, would help wouldnt it,,,,

users fill out form, for shop,, to add product, in the description they cant use quotes, it just messes up another script...
form:

<?
error_reporting(E_ALL);
include('../config.php');
$result1=mysql_query("select * from categories") or die ("mysql error");
$pagetitle = 'CCShop Add Product';
include('header.php');
echo "<center>";
echo "<table width=100%><tr><td bgcolor=black align=center><font size=2 color=yellow><B>Add Product</td></tr></table><BR>";
echo "<table><TR><TD>";
echo "<form action="manage.php?task=add" enctype="multipart/form-data" method='post'>";
echo "Category:</td><td>";
echo "<select name="cat_id">";
while($row = mysql_fetch_array($result1)){
$name = $row["name"];
$cat_id = $row["cat_id"];
echo "<option value="$cat_id">$name";
}
echo "</td></tr><tr><td>";
echo "Item Name: </td><td><input name=item_name type=text size=35></td></tr><tr><td>";
echo "Item Description: </td><td><font size=2>Please do not use quotes ( <font size=3>"</font> )<BR><textarea name=item_desc cols=40 rows=4></textarea></td></tr><tr><td>";
echo "Item Price: </td><td>$<input name=item_price type=text size=10><font size=2>(do not put $ in the box)";
echo "</td></tr></table>";
echo "<BR><input type=submit value="submit"></form>";
include('footer.php');
?>


from a form,,, it goes to the mysql connection to add the product..

mysql add:

<?
include('../config.php');
$pagetitle = 'Product Added';
include('header.php');

$query = "INSERT INTO products VALUES ('','$item_name','$item_desc','$item_price','','$c at_id','')";
if(mysql_query($query,$db))
{ echo "<table width=100%><tr><td bgcolor=black align=center><font size=2 color=yellow><B>$item_name was added</td></tr></table><BR>";
echo "<center><font color=blue size=3><B>$item_name successfully Added<BR>";
}
include('footer.php');
?>

then from mysql i pull it out to a page for the administrator to view the products listed and so they can edit in case of mistakes...

product mysql view:

<?

$pagetitle = 'CCShop Administration Panel';
include('header.php');


echo "<table width=600><tr>";
echo "<td bgcolor=black align=center><font size=2 color=yellow><B>Image</td>";
echo "<td bgcolor=black align=center><font size=2 color=yellow><B>Information</td>";
echo "<td bgcolor=black align=center><font size=2 color=yellow><B>Edit</td></tr>";
for ($i = 0; $i < $numOfRows; $i++){
$id = mysql_result ($result, $i, "id");
$item_name = mysql_result ($result, $i, "item_name");
$item_desc = mysql_result ($result, $i, "item_desc");
$item_price = mysql_result ($result, $i, "item_price");
$image = mysql_result ($result, $i, "image");
$cat_id = mysql_result ($result, $i, "cat_id");
$featured = mysql_result ($result, $i, "featured");
$oldimage = "$image";
echo "<tr><td align=center>";
if ($image == "")
{
echo "<a href="addpic.php?id=$id&oldimage=$oldimage">add image</a>";
}
else{
echo "<img src="$pimgurl/$image" width=75 height=75><BR><BR><a href="image.php?id=$id&oldimage=$oldimage">Edit Image</a>";
}
echo "</td>";
$query3 = "SELECT * FROM categories WHERE cat_id = '$cat_id'";
$result3 = mysql_query($query3);
$row = mysql_fetch_array($result3);
$name = $row["name"];
echo "<td><font size=2><B>Category:</font><font size=3 color=blue> $name</font><BR>";

echo "<font size=2><B>Product Name:</font><font size=3 color=blue> $item_name</font><BR>";
echo "<font size=2><B>Description:</font><font size=3 color=blue> ";
echo "$item_desc";
echo "</font><BR>";
echo "<font size=2><B>Price:</font><font size=3 color=blue> $$item_price</font><HR></td>";
echo "<td align=center width=125><a href="edit.php?id=$id&name=$name&image=$image&item_name=$item_name&item_desc=$item_desc&item_price=$item_price&cat_id2=$cat_id&featured=$featured"><font size=2>Edit</a></font> | ";
echo "<a href="delete.php?id=$id&image=$image&item_name=$item_name"><font size=2>Delete</a></font><BR>";
if($featured == "yes") {
echo "<font color=red><B>Featured!";
}

}
echo "</tr></table>";

include('footer.php');


?>


now, i know about in php code with quotes ( " ), but where im having problems is when the administrator adds a product, and types in the description of the product something that uses quotes :

ex:
product1
Description using "quotes"

then they add the price and so on,,,

well, it adds the description fine, but when it is pulled on to the page to be viewed, it messes up that page, and i have an edit link on that page, and that link is gone,,,

it can be tested here at http://www.spidermonster.com/cc/

click shop link, and go to admin login link on that page..

username: admin
password: pass

this way you can see what it did, cuz i will have on there already done,, and this is all the code for dealing with that. how do i let the administrator use quotes without it messing up my page like this...

sorry for making page so wide, and i forgot to tell you that its the 3rd product on page....

Category: Tattoo
Product Name: this is for testing
Description: please do not mess with this product, testing script problems. Testing script using "quotes". now there is not edit link on right.
Price: $1.00

check out addslashes() at php.net

http://www.php.net/manual/en/function.addslashes.php

thanks, but it just puts the slashes in front of the quotes,
i thought it would work too, but it didnt do anything,,

and actually, the quotes are fine, except that my edit link wont come up,
and thats confusing me, if i can just get it to come out and keep the quotes,
is really all i need

its just finding out why the quotes are effecting it that way..

Here's what I use for doing about the same thing. It even makes sure an admin can't screw it up:


INSERT INTO table (... description ...) VALUES( ... " . htmlspecialchars($description) . " ... )

The htmlspecialchars() will turn & into &, " into ", etc... And when you view it again on HTML, you get & instead of &, " instead of ", etc.

thanks lizardman, but i tried that and it
deleted my entire table,,,

I dont think something is right in my php.ini file or something
cuz alot of things people suggest to me in this forums for anything usually dont work,,,

like for things with register_globals off,,,,
anything i use for this so i can use php, and code things properly for security,,,
do not work... i have to have register_globals on for anything to work,, even my own code..

even if i use variables and stuff like $_REQUEST, $_GET, OR anything...

so,,,
maybe i should reinstall my php?

What version of PHP are you running?