Help needed to Escape?

[Solarpitch]

Hey,

 

Just have a small problem. I have a result coming from the database which is a name. The name is

'O'Sullivan Luke'

 

The apostrophe seems to be cutting the name out. So I'm trying to echo it into a checkbox and this is what I've tied...

 

<?php
<input name=box[] type='checkbox' value='".mysql_real_escape_string($row[0])."' > 
?>

 

All that seems to be echoing out is 'O'.. how can I escape this correctly so I end up with..

 

<input name=box[] type='checkbox' value='O'Sullivan Luke' >

[Mchl]

Use addslashes

[rhodesa]

<?php
print '<input name="box[]" type="checkbox" value="'.htmlspecialchars($row[0]).'">';
?>

[Solarpitch]

Neither work..

 

When I use addslashes I get: WHERE member_name = 'O\\\\'

 

and when I use htmlspecialchars I get :WHERE member_name = 'O\\\'Sullivan'

[Mchl]

Ok... you want to display it, use it in query or what?

[Solarpitch]

I want to print the value into a checkbox.

 

I've managed to get this but it wont return the results from the database

 

select * from golfpro_member WHERE member_name = 'O\\\\\\\'Sullivan John Mr' and email != '' and email != '0'

 

but if I where to type this into phpMyAdmin.. it works

 

select * from golfpro_member WHERE member_name = "O'Sullivan John Mr" and email != '' and email != '0'

 

I'm basically printing the value into a checkbox like so

 

print '<input name="box[]" type="checkbox" value='.addslashes($row[0]).'>>'.$row[0]."";

[rhodesa]

ok...but the functions for escaping data for MySQL and escaping data to print in HTML are different

 

what is your code for the SQL query?

[Daniel0]

You need to escape it just before inserting it and no other time, i.e. not when echoing it. Of course you might want to convert HTML entities if you are outputting HTML though...

[Solarpitch]

Yeah I'm escaping data to print in HTML ... thats what I'm trying to do. See I cant escape before insertion as the results are already in the database. It's a database that the client already had.

 

What would I need to be looking at if I'm escaping data to print to HTML.

 

[rhodesa]

htmlspecialchars() will convert any 'special' chars to their non-conflicting versions. you also need to use double quotes around it though...not single

[Solarpitch]

I see.. well the full function is...

 

<?php 

function get_mem_types(){

dbconnect();
$sql = "select * from golfpro_member WHERE email != '' and email != '0' ORDER BY member_name asc";
$result = mysql_query($sql);
while(($row = mysql_fetch_row($result)) !== false) {

print '<input name="box[]" type="checkbox" value="'.htmlspecialchars($row[0]).'">'.$row[0]."<br />";

}
    return $select;
}

?>

 

if was to echo this I would get

 

select * from golfpro_member WHERE member_name = 'O\\\'Sullivan John Mr' and email != '' and email != '0'

 

.. and this wont return any results.

[rhodesa]

those are different select statements...

[Solarpitch]

I'm sorry I'm confusing myself here  ... I need to get some food into me and take a look at this in a short while.

 

Thanks for the help. I'll see if I can get a look at it later

[Daniel0]

See I cant escape before insertion as the results are already in the database. It's a database that the client already had.

 

Yes you can, and should. You are escaping to prevent SQL injection. Whether you are updating or inserting is irrelevant.

 

mysql_query("INSERT INTO foo (bar) VALUES('" . mysql_real_escape_string($unescapedBar) . "')");

 

If you actually see O\\\'Sullivan John Mr in the database then your script is broken.