How To Handle Apostrophes

[refiking]

I can store apostrophes with no problem.  But when I call them from the db in a query, it screws it up.  How should I handle it so it can actually read the record from the database and echo the record with the apostrophe in tact?  Thanks in advance!

[Porl123]

You should be adding slashes before you enter them into the database, then you can strip them on the other side

[refiking]

Can you givve me an example please?

[Porl123]

$text = "Steve's text";

$string = addslashes($text);

mysql_query("INSERT INTO table (`text`) VALUES ('".string."')");

 

Then to retrieve

 

$query = mysql_query("SELECT text FROM table WHERE .....");

$text = mysql_fetch_array($query);

 

$text = stripslashes($text[0]);

 

echo $text;

 

Something like that

[refiking]

OK. So, what do I do about having more than 1 record with a possible apostrophe?  I can't use string twice when entering in the db, right?

[Porl123]

Any string that goes into the database can have those functions as many times as you want

[Porl123]

Infact instead of using addslashes before it goes into the database, I'd increase the security and use

 

function clean($data) {

if (!get_magic_quotes_gpc()) {

$data = addslashes($data);

}

 

$data = strip_tags($data);

$data = htmlspecialchars($data, ENT_QUOTES);

$data = trim($data);

 

return $data;

 

}

 

It's a bit more safe

[refiking]

OK.  So, I add this function and call my variables.  Then, how would I use this function with those variables.  For example:
[code]
while($row = mysql_fetch_assoc($sql)){
$var1 = $row['field1'];
$var2 = $row['field2'];
$var3 = $row['field3'];
}
//Would I then add this? //
$var1 = clean($var1);
$var2 = clean($var2);
$var3 = clean($var3);

[/code]

 

[kenrbnsn]

Actually, you should used the mysql_real_escape_string() function, not addslashes(), since it handles all potential problem characters, not just the single quote.

 

Also, stripslashes() and htmlentities() should be used when you display stored values, not when you store them,

 

Ken

[refiking]

OK, so would I use the  mysql_real_escape_string() function when displaying or storing the value?   Thanks in advance for being patient with a noob.

[schilly]

mysql_real_escape_string() when you store.

[refiking]

OK.  So, when I display the variable, will I have to add any kind of function or anything?

[schilly]

stripslashes() and htmlentities() as per Ken

 

ex. stripslashes(htmlentities($var))

[refiking]

OK.  SO, I think I got it now.  Let me know if this is it.

while($row = mysql_fetch_assoc($sql)){
$var1 = $row['field1'];
$var2 = $row['field2'];
}
$var1 = stripslashes(htmlentities($var1));
$var2 = stripslashes(htmlentities($var2));

[schilly]

Looks good.

[refiking]

Ok. Thanks!

[kenrbnsn]

You should use stripslashes() before htmlentities():

<?php
while($row = mysql_fetch_assoc($sql)){
     $var1 = htmlentities(stripslashes($row['field1']),ENT_QUOTES);
     $var2 = htmlentities(stripslashes($row['field2']),ENT_QUOTES);
//
// do something with var1 & var2
//
}?>

 

Ken

[nadeemshafi9]

depends when you say screws up what does that mean, mysql adds slashes for you and also removes them on retrival

[nadeemshafi9]

how to handel apostraphees, you hang behead or quarter them