echo special chars from mysql db

[avincent]

I cannot get database content to display via an echo if the content of the database has an ' or " in it.

Below is my code:

 

search.php

<?php

$dbservertype='mysql';
$servername='localhost';
$dbusername='root';
$dbpassword='###';
$dbname='###';

connecttodb($servername,$dbname,$dbusername,$dbpassword);
function connecttodb($servername,$dbname,$dbuser,$dbpassword)
{
global $link;
$link=mysql_connect ("$servername","$dbuser","$dbpassword");
if(!$link){die("Could not connect to MySQL");}
mysql_select_db("$dbname",$link) or die ("could not open db".mysql_error());
}

?>

<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>Multiple drop down list box from plus2net</title>
<SCRIPT language=JavaScript>
function reload(form)
{
var val=form.cat.options[form.cat.options.selectedIndex].value;
self.location='search.php?cat=' + val ;
}

</script>
</head>

<body>
<?php

@$cat=$_GET['cat']; 
if(strlen($cat) > 0 and !is_numeric($cat)){ 
echo "Data Error";
exit;
}



$quer2=mysql_query("SELECT DISTINCT product_categories_name, product_categories_id FROM tbl_product_categories"); 

if(isset($cat) and strlen($cat) > 0){
$quer=mysql_query("SELECT product_name, product_id, join_category_id, join_product_id FROM tbl_product, tbl_join_products_categories where join_category_id=$cat AND product_id=join_product_id order by product_name"); 
}

echo "<form method=post name=f1 action='search-results.php'>";

echo "<select name='cat' onchange=\"reload(this.form)\"><option value=''>Select one</option>";
while($noticia2 = mysql_fetch_array($quer2)) { 
if($noticia2['product_categories_id']==@$cat){echo "<option selected value='$noticia2[product_categories_id]'>$noticia2[product_categories_name]</option>"."<BR>";}
else{echo  "<option value='$noticia2[product_categories_id]'>$noticia2[product_categories_name]</option>";}
}
echo "</select>";

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='$noticia[product_name]'>$noticia[product_name]</option>";
}
echo "</select>";

echo "<input type=submit value=Submit>";
echo "</form>";
?>

</body>

</html>

 

search-results.php

<html>

<head>
<title></title>
</head>

<body>
<?php
$cat=$_POST['cat'];
$subcat=$_POST['subcat']

echo $cat;
echo $subcat;


?>
</body>

</html>

 

HELP!!!!

 

 

[cags]

Are you saying $cat contains one of those characters? You should be passing the value through mysql_real_escape_string to make it query safe, otherwise SQL injection will be possible for the very reason your probably finding it's not working, the ' and " characters are meta characters in SQL that have special meanings, if you just stick them in a string as is then MySQL will think that you are closing the value for that field and moving on.

[avincent]

Kinda. $cat doesn't contain the string that I am refering to. It is actually the $subcat variable. The strange part is that within the drop down box on search.php it is displayed perfectly with no issues. Once you get to the results page is when the output for $subcat is jacked up.  I read a little into the  mysql_real_escape_string() you recommended, but I am having trouble figuring out where to put it within the code.

 

Do I just put it on the results page or is it supposed to go on the search page? and where?

[cags]

It should be used on any variable that wasn't hard coded into the script by yourself, or in other words everything entered directly by the user. Generally speaking this will be values taken from the $_GET or $_POST superglobal arrays.

 

$cat = mysql_real_escape_string($_POST['cat']);
$subcat = mysql_real_escape_string($_POST['subcat']);

 

Btw, I noticed that the line declaring $subcat in the code you posted is missing a semicolon from the end.

[avincent]

That didn't work

 

On the results page I put the following code:

<html>

<head>
<title></title>
</head>

<body>
<?php
$cat=$_POST['cat'];
$subcat = mysql_real_escape_string($_POST['subcat']);

echo $subcat;


?>
</body>

</html>

 

The example I am using is this:

When I go to search.php I select one of the objects in the first drop down box which determines what will be in the second drop down box. I then select the option i want from the second drop down box. I hit submit and I am taken to the search-results.php page. On this page I only want it to display $subcat. I am using these selections from the drop down boxes:

 

first drop down box ($cat):  Champagne

second drop down box ($subcat): Ca'Montini

 

Whats displayed on the search results page: Ca

 

not sure if it is just because i am leaving the page or what, but have been working on this for quite a while.

 

[cags]

To be honest your confusing me, the topic is under MySQL help and seems to ask about the database, but the more you talk the more it seems to be an issue that has nothing to-do with the database, the last code block you posted doesn't even use the database you are simply echo'ing out a value selected by the user. Are you saying that the value echo'd by that code block you posted is giving Ca?

[avincent]

Sorry for the confusion. I am passing database values selected by the user to a results page, but when they get to the results page they are not seeing the database value they selected. It only shows the value up to the apostrophe.

 

They select the option  Ca'Montini which is in the database and then after they hit submit they go to the results page that only shows them Ca.  It should be showing them the full word Ca'Montini which is the database value they selected.

[cags]

In that case it sounds like the characters aren't being escaped correctly, which is odd because I thought forms did this by default, it perhaps depends on the settings on the server. Out of interest, two questions. Firstly if you run the code as is, when you click view source code in the browser, what is the value attribute of the <option> tag for Ca'Montini(I'm going to go ahead and assume that the name that appears in the drop down is Ca'Montini)? Secondly what do you get if you change...

 

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='$noticia[product_name]'>$noticia[product_name]</option>";
}
echo "</select>";

...to...

 

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='".urlencode($noticia[product_name])."'>$noticia[product_name]</option>";
}
echo "</select>";

[avincent]

When I run the code as is the option value is:

<option value='Ca' Montini'>

 

When I change the code to what you suggested I get this as what displays on the page now:

Ca%27+Montini

[avincent]

I think I got it. I did your suggestion for urlencode on the sending page and then a urldecode on the receiving page and it is working great.

 

TYVM

[cags]

It's because the ' is being recognised by the HTML parser as closing the value tag, you could have also fixed it by simply changing the output to something like this...

 

echo  '<option value="'.$noticia['product_name'].'">'.$noticia['product_name'].'</option>';