[SOLVED] single quotes getting overused and confusing

[coutts]

<td><input size='25' maxlength='255' name='title' type='text' value='You're the One for Me'/></td>

 

Hi

The code above is html generated from an SQL query. As you can see in the value field there is a ' single quote which is ending the value at YOU, not the whole song title. Can anyone suggest how to fix this. The SQL table has You're the One for Me successfully added to the record and I am using single and double quotes in the php to avoid confusion there like this

 

   echo( "<tr><td>Song Title</td><td>" . "<input size='25' maxlength='255' name='title' type='text'" . "value='" . $row["title"] . "'/>" . "</td></tr>" );

 

Thanks

Robert

[mysqldba]

http://uk2.php.net/addslashes ?

 

i.e. addslashes( $row['title'] )

[coutts]

Please excuse me if I am being dense but - I tried adding addslashes as you prescribed to the page that was displaying the truncated song title and what I then got was

 

You\

 

and the rest truncated becasue the html code returned was

<td><input size='25' maxlength='255' name='title' type='text' value='You\'re the One for Me'/></td>

 

I also thought maybe it was meant to make your data entry page put as slash before the ' but that wasnt it either.

I must be missing something here

 

Robert

[CroNiX]

When you are putting data in the database, use addslashes() (or better yet mysql_real_escape_string) and when you retrieve data use stripslashes() to remove them.

[Barand]

If you are using addslashes or mysql_real_escape_string correctly there should be no need to remove slashes when you retrieve the data from the db

[coutts]

Good Morning:

Well I tried as suggested I added slashes and stripped slashes and the title was still truncated and really I couldnt see how that would fix the problem. I do understand the idea behind slashes or escaping out characters that could be harmful if just anyone can add them to create an SQL statement rather than just adding data. However in this case the problem is really in the html statement, but I'm posting this in the SQL forum because it is a direct result of SQL.

 

When the song title YOU'RE THE ONE is displayed in say a table like this:

<tr><td>YOU'RE THE ONE</td></tr>

that is fine - no problem but

when it is displayed in a input tag like this:

<tr><td><input size='25' maxlength='255' name='title' type='text' value='You're the One'/>YOU'RE THE ONE</td></tr>

then the ' after YOU ends that field and the song title displays as YOU not YOU'RE THE ONE and this makes perfect sense - if I were writing this as HTML I would see that extra ' and remove it as a mistake.

 

The thing is even if I add and remove an escape slash that does not change the fact that the ' after YOU is still there and HTML-wise it is still a mistake. The only way I have temporarily fixed this is to use &#39; in the song title but it isnt very slick telling users to use &#39;

 

Does this long explanation change what anyone thinks is the right approach

 

Thanks

Robert

[Barand]

use "

 

<input size='25' maxlength='255' name='title' type='text' value="You're the One"/>

[coutts]

Hi

OK my problem with double quoting the song title value is that since this is written on the fly with this code

 

 

   echo( "<tr><td>Song Title</td><td>" . "<input size='25' maxlength='255' name='title' type='text'" . " value='" . $row["title"] . "'/>" . "</td></tr>" );

 

 

I would have to change it to ????. I can't see how to change this to make it write double quotes in the html without doing something like . " value="" . $row["title"] . ""/>" and the two double quotes would, I believe, get me in trouble too. Right? So is there another way of writing the code above to achieve the HTML that Barand is suggesting ie double quotes on the song title

 

Thanks

[Barand]

echo "<tr><td>Song Title</td><td><input size='25' maxlength='255' name='title' type='text' value=\"{$row['title']}\" /></td></tr>" ;

[coutts]

Thanks that is perfect