bothwell Posted July 13, 2008 Share Posted July 13, 2008 I am having a falling-out with Magic Quotes over its treatment of my data. I'm using stripslashes and then mysql_real_escape_string on my database input which is all well and good, so now if I check out the database I can see a guy called "test O'rly" in there. I have a form that searches for users by name and then populates a drop-down box with the distinct results. Mr O'rly is in this drop-down box in with his apostrophe. When I hit the submit button to display however many Test O'rlys are in my database, the POST loses the apostrophe and everything after it (so on the next page if I print out the contents of $_POST it says "test o"). This is my select: $nameResultSet = mysql_query("SELECT DISTINCT name FROM tenant_info ORDER BY name"); $Data = mysql_fetch_array($nameResultSet); while(is_array($Data)) { print "<option value='".$Data['name']."'>".$Data['name']."</option>"; $Data = mysql_fetch_array($nameResultSet); } I am trying all sorts of crazy stuff with putting if(get_magic_quotes_gpc()) { $Data = stripslashes($Data['name']); } in random places to see what happens, but the apostrophe and anything following it just keeps getting stripped out. Where am I going wrong on this one? Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/ Share on other sites More sharing options...
teynon Posted July 13, 2008 Share Posted July 13, 2008 This is what you would call a blond moment. You're looking to hard. Look at your html code: <option value='test o'reilly'>test o'reilly</option> You need to use double quotes in your values or something. Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-588910 Share on other sites More sharing options...
PFMaBiSmAd Posted July 13, 2008 Share Posted July 13, 2008 Single and double quotes have meaning to a browser. To allow them to exist in data, you need to use htmlentities() on them before you place them into HTML code. Use the ENT_QUOTES parameter in htmlentities() so that both single and double quotes are converted, so that someone won't break your code by putting in either type. Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-588919 Share on other sites More sharing options...
discomatt Posted July 13, 2008 Share Posted July 13, 2008 There's no 'real' html entity for single quotes ( only the ascii entity ' ). The reason for this is it's standard practice to use double quotes for markup attributes. Follow standards, and you'll usually have less hoops to jump through to make your code work Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-588973 Share on other sites More sharing options...
kenrbnsn Posted July 13, 2008 Share Posted July 13, 2008 Take a look at this example to see how to use htmlentities: <?php if (isset($_POST['strs'])) echo '<pre>' . print_r(array_map('stripslashes',$_POST['strs']),true) . '</pre>'; $strs = array('This string has double quotes in it """',"This string has single quotes in it '''",'This string has both double quotes """ and single quotes ' . "'''" . ' in it'); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title></title> </head> <body> <form action="" method="post"> <?php foreach ($strs as $str) echo '<input type="text" style="width:50%" name="strs[]" value="' . htmlentities($str,ENT_QUOTES) . '"><br>'; ?> <input name="submit" type="submit" value="Test it"> </form> </body> </html> Take a look at the generated source to see how the quotes are handled. Ken Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-588986 Share on other sites More sharing options...
bothwell Posted July 13, 2008 Author Share Posted July 13, 2008 Haha, yeah, definitely a blonde moment I couldn't for the life of me work out what was wrong with that query. Thanks so much for posting the htmlentities code - I was thinking it'd be really useful if I could do that and I was about to start looking at ways to do it by regex. No, really. Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-589056 Share on other sites More sharing options...
JonnyThunder Posted July 13, 2008 Share Posted July 13, 2008 I always put this code at the top of any script I write, to handle the slashes correctly - then just remember to add them when I want.... // Strip slashes from all the inputs if magic quotes is on if (get_magic_quotes_gpc()) { $_REQUEST = array_map('stripslashes', $_REQUEST); $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-589058 Share on other sites More sharing options...
kenrbnsn Posted July 13, 2008 Share Posted July 13, 2008 I always put this code at the top of any script I write, to handle the slashes correctly - then just remember to add them when I want.... // Strip slashes from all the inputs if magic quotes is on if (get_magic_quotes_gpc()) { $_REQUEST = array_map('stripslashes', $_REQUEST); $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } You have to be very careful when using the above code, since it won't give you the desired results if you have arrays embedded in those superglobal arrays. Run this modification of my code to see what I mean: <?php if (isset($_POST['strs'])) { echo '<pre>' . print_r($_POST,true) . '</pre>'; echo '<pre>' . print_r(array_map('stripslashes',$_POST),true) . '</pre>'; echo '<pre>' . print_r(array_map('stripslashes',$_POST['strs']),true) . '</pre>'; } $strs = array('This string has double quotes in it """',"This string has single quotes in it '''",'This string has both double quotes """ and single quotes ' . "'''" . ' in it'); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title></title> </head> <body> <form action="" method="post"> <?php foreach ($strs as $str) echo '<input type="text" style="width:50%" name="strs[]" value="' . htmlentities($str,ENT_QUOTES) . '"><br>'; ?> <input name="submit" type="submit" value="Test it"> </form> </body> </html> Upon submitting the form, the script will print: Array ( [strs] => Array ( [0] => This string has double quotes in it \"\"\" [1] => This string has single quotes in it \'\'\' [2] => This string has both double quotes \"\"\" and single quotes \'\'\' in it ) [submit] => Test it ) Array ( [strs] => Array [submit] => Test it ) Array ( [0] => This string has double quotes in it """ [1] => This string has single quotes in it ''' [2] => This string has both double quotes """ and single quotes ''' in it ) Ken Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-589100 Share on other sites More sharing options...
JonnyThunder Posted July 14, 2008 Share Posted July 14, 2008 Yeah, I can understand that. usually however, I wouldn't pass that kind of variable through these globals - for simpler scripts it works perfectly. Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-589385 Share on other sites More sharing options...
JonnyThunder Posted July 14, 2008 Share Posted July 14, 2008 I should also say that any data I accept into my scripts at any stage are preg verified and have illegal characters removed, based on my requirements. Link to comment https://forums.phpfreaks.com/topic/114523-magic-quotes-madness/#findComment-589405 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.