Training, Open Source computer languages
PerlPHPPythonMySQLApache / TomcatTclRubyJavaC and C++LinuxCSS 
Search for:
Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
 
20.9.2014 - We have just updated our course layouts and descriptions and added our 2015 schedule.

Quotes in Variable escaping Form Value

Posted by keith (keith), 2 February 2006
Hi,

I have the following :-

$main.="<input name='title' type='text' size='40' value='".$title."'>"

Now this is fine until the value of title is something like:-
$title="when they're going to be here";

All that is displayed in the Form text field is:
when they

The value of $title actually comes from a mySQL db.

I wan't the user to see exactly what they originally type in the form, so they can modify it. How do I get this text field to display the full line :
when they're going to be here

I'm sure I should be doing an addslashes or something, but I just cant get the line to display correctly in the text field.

Thanks in advance

Keith


Posted by Chris_Isaac (Chris Isaac), 2 February 2006
Hi Keith

I'm a bit rusty with PHP, but I think you are on the right lines because its cutting off the string at the ' in they're.

Try using the addslashes function (when you originally input the data into the mysql db) see if that gets you over the problem (Don't forget to use stripslashes function when getting the information out)

Like I said I'am rusty if that doesn't work, there are bigger and uglier peole on the board who will point you in the right direction.... there's Graham as well...

Hope this helps.

Posted by admin (Graham Ellis), 2 February 2006
This is how I remember it:



Reading from a form - call stripslashes but ONLY if your server is configured with magic quotes set on (that's the default).  This prevents quotes entered by the user having a backslash in front of them.

Saving to a database - call addslashes which ensures that the 4 special characters that can't be otherwise passed in within your SQL get escaped as appropriate.

Reading back from a database - no action to take since you've lready saved the data cleanly.

Outputting back to the browser (and this INCLUDES echoing back as the value in a text string) - htmlspecialchars which converts < to < and (answering Keith's original query) " to ".


Posted by keith (keith), 2 February 2006
Thanks Graham and Chris,

Chris, I  had tried addslashes, but it didn't help.

Graham, I know PHP addslashes by default (when magicquotes is on) to form data.

The data I am showing is from MySQL, not directly from a form, so the stripslashes and addslashes part seems to be irrelevant.
It's saving fine in mySQL eg; i can pull it back out and echo $title;
and I get:-
when they're going to be here

It's just the form value thing that's the issue.

So all I need to do is use htmlspecialchars

Or am I not understanding something here!?

Posted by admin (Graham Ellis), 2 February 2006
on 02/02/06 at 23:14:40, keith wrote:
So all I need to do is use htmlspecialchars

Or am I not understanding something here!?


Nope, I think that's all you need then.

Posted by keith (keith), 3 February 2006
Ah!

With a bit of swapping from Single Quotes to Double Quotes and vice-versa, it worked like a charm.

Many thanks

Keith





This page is a thread posted to the opentalk forum at www.opentalk.org.uk and archived here for reference. To jump to the archive index please follow this link.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho