Jump to content

Help needed to Escape?

Solarpitch

By Solarpitch
in PHP Coding Help

 Share

Recommended Posts

Solarpitch Advanced Member

Solarpitch

Posted
Posted

Hey,

 

Just have a small problem. I have a result coming from the database which is a name. The name is

'O'Sullivan Luke'

 

The apostrophe seems to be cutting the name out. So I'm trying to echo it into a checkbox and this is what I've tied...

 

<?php
<input name=box[] type='checkbox' value='".mysql_real_escape_string($row[0])."' > 
?>

 

All that seems to be echoing out is 'O'.. how can I escape this correctly so I end up with..

 

<input name=box[] type='checkbox' value='O'Sullivan Luke' >

Link to comment
Share on other sites
Solarpitch Advanced Member

Solarpitch

Posted
  • Author
Posted

I want to print the value into a checkbox.

 

I've managed to get this but it wont return the results from the database

 

select * from golfpro_member WHERE member_name = 'O\\\\\\\'Sullivan John Mr' and email != '' and email != '0'

 

but if I where to type this into phpMyAdmin.. it works

 

select * from golfpro_member WHERE member_name = "O'Sullivan John Mr" and email != '' and email != '0'

 

I'm basically printing the value into a checkbox like so

 

print '<input name="box[]" type="checkbox" value='.addslashes($row[0]).'>>'.$row[0]."";

Link to comment
Share on other sites
Solarpitch Advanced Member

Solarpitch

Posted
  • Author
Posted

Yeah I'm escaping data to print in HTML ... thats what I'm trying to do. See I cant escape before insertion as the results are already in the database. It's a database that the client already had.

 

What would I need to be looking at if I'm escaping data to print to HTML.

 

Link to comment
Share on other sites
Solarpitch Advanced Member

Solarpitch

Posted
  • Author
Posted

I see.. well the full function is...

 

<?php 

function get_mem_types(){

dbconnect();
$sql = "select * from golfpro_member WHERE email != '' and email != '0' ORDER BY member_name asc";
$result = mysql_query($sql);
while(($row = mysql_fetch_row($result)) !== false) {

print '<input name="box[]" type="checkbox" value="'.htmlspecialchars($row[0]).'">'.$row[0]."<br />";

}
    return $select;
}

?>

 

if was to echo this I would get

 


select * from golfpro_member WHERE member_name = 'O\\\'Sullivan John Mr' and email != '' and email != '0'

 

.. and this wont return any results.

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

See I cant escape before insertion as the results are already in the database. It's a database that the client already had.

 

Yes you can, and should. You are escaping to prevent SQL injection. Whether you are updating or inserting is irrelevant.

 

mysql_query("INSERT INTO foo (bar) VALUES('" . mysql_real_escape_string($unescapedBar) . "')");

 

If you actually see O\\\'Sullivan John Mr in the database then your script is broken.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.