How do I escape quote marks stored in a variable ????

[poleposters]

Hi,

 

I have records in my database with quotes or apostrophes. I am retireving one such record and placing it into a variable.HOwever when I echo the variable it gets all muddled because of the apostrophes.

 

I'm sure there is a function to escape the quotes in a variable but am having trouble finding it.

 

Can someone point the way?

[poleposters]

Never mind. I found it!!

 

It was at the top of the list of functions

 

addslashes()

[poleposters]

No, I take it back. Didn't work.

[dezkit]

either u can use

 

"

'

or \"

 

 

[laffin]

mysql_real_escape_string

 

if using mysql

 

or maybe addslashes

[PFMaBiSmAd]

If you are echoing content to the browser, special characters that the browser interprets/renders (quotes, <, >, &) need to be converted using htmlentities() - http://www.php.net/manual/en/function.htmlentities.php

 

Escaping data with a slash \ only has meaning when putting data into a database.

[poleposters]

No, neither are working

 

I'll show you the code.

 

 

$bn=Jack's Chicken Shop;

print "<tr><td >Business name</span></td><td><input type='text' name='business_name' value='$bn'></td></tr>";

 

The problem is because the value='$bn' is single quoted and the print "" is double quoted, and I want to print a variable that contains quotes.

[discomatt]

Besides not quoting your $bn definition.. the code looks fine.

[PFMaBiSmAd]

You need to pass $bn through the htmlentities() function so that quotes within it are converted into htmlentities that the browser won't attempt to render and break the value='...' parameter.

[discomatt]

Ahh, that's it. Common problem.

 

Problem is HTML doesnt recognize using a backslash to escape... nor does it have an entity for a single quote. Always use double quotes for HTML attributes.

 

$bn="Jack's Chicken Shop is \"the best\"";

print '<tr><td >Business name</span></td><td><input type="text" name="business_name" value="'. htmlentities($bn) .'"></td></tr>';

[poleposters]

That did it. I converted all the single quotes to doubles in the HTML and escaped them. The variable printed normally.

 

Except now I have to change all my forms from snigle quotes to double and escape them. I'm in for a long day.

 

Thanks all!

[discomatt]

Another reason why following standards from the start can same you a lot of time and effort in the end

[AndyB]

Except now I have to change all my forms from snigle quotes to double and escape them. I'm in for a long day.

 

If that were true I have about two years' work to do "fixing" several thousand scripts.  Luckily, it's not true as a general statement.

[PFMaBiSmAd]

Use the ENT_QUOTES parameter in the htmlentities() function. There is no need to change any of your single/double quoting (except as needed to incorporate the htmlentities() function call.) If you use the htmlentities() where the data is retrieved from the database, you won't need to change anything where it is output in the form code.

[Xeoncross]

 

Right on discomatt, I just have one thing to add - don't use double-quotes for variable names unless you have something that needs to be processed within the quotes. For example:

 

discomatt

 

<?php
//slower
$bn="Jack's Chicken Shop is \"the best\"";

//faster
$bn='Jack\'s Chicken Shop is "the best"';

//With the newline char "\n"

//Works
$bn="Jack's Chicken Shop is \"the best\" \n";

//Won't work
$bn='Jack\'s Chicken Shop is "the best" \n';
?>

 

And this only applies to PHP - never use single quotes in (X)HTML.