Jump to content

echo special chars from mysql db

avincent

By avincent
in MySQL Help

 Share

Recommended Posts

avincent Newbie

avincent

Posted
Posted

I cannot get database content to display via an echo if the content of the database has an ' or " in it.

Below is my code:

 

search.php

<?php

$dbservertype='mysql';
$servername='localhost';
$dbusername='root';
$dbpassword='###';
$dbname='###';

connecttodb($servername,$dbname,$dbusername,$dbpassword);
function connecttodb($servername,$dbname,$dbuser,$dbpassword)
{
global $link;
$link=mysql_connect ("$servername","$dbuser","$dbpassword");
if(!$link){die("Could not connect to MySQL");}
mysql_select_db("$dbname",$link) or die ("could not open db".mysql_error());
}

?>

<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>Multiple drop down list box from plus2net</title>
<SCRIPT language=JavaScript>
function reload(form)
{
var val=form.cat.options[form.cat.options.selectedIndex].value;
self.location='search.php?cat=' + val ;
}

</script>
</head>

<body>
<?php

@$cat=$_GET['cat']; 
if(strlen($cat) > 0 and !is_numeric($cat)){ 
echo "Data Error";
exit;
}



$quer2=mysql_query("SELECT DISTINCT product_categories_name, product_categories_id FROM tbl_product_categories"); 

if(isset($cat) and strlen($cat) > 0){
$quer=mysql_query("SELECT product_name, product_id, join_category_id, join_product_id FROM tbl_product, tbl_join_products_categories where join_category_id=$cat AND product_id=join_product_id order by product_name"); 
}

echo "<form method=post name=f1 action='search-results.php'>";

echo "<select name='cat' onchange=\"reload(this.form)\"><option value=''>Select one</option>";
while($noticia2 = mysql_fetch_array($quer2)) { 
if($noticia2['product_categories_id']==@$cat){echo "<option selected value='$noticia2[product_categories_id]'>$noticia2[product_categories_name]</option>"."<BR>";}
else{echo  "<option value='$noticia2[product_categories_id]'>$noticia2[product_categories_name]</option>";}
}
echo "</select>";

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='$noticia[product_name]'>$noticia[product_name]</option>";
}
echo "</select>";

echo "<input type=submit value=Submit>";
echo "</form>";
?>

</body>

</html>

 

search-results.php

<html>

<head>
<title></title>
</head>

<body>
<?php
$cat=$_POST['cat'];
$subcat=$_POST['subcat']

echo $cat;
echo $subcat;


?>
</body>

</html>

 

HELP!!!!

 

 

Link to comment
https://forums.phpfreaks.com/topic/187643-echo-special-chars-from-mysql-db/
Share on other sites
cags Member

cags

Posted
Posted

Are you saying $cat contains one of those characters? You should be passing the value through mysql_real_escape_string to make it query safe, otherwise SQL injection will be possible for the very reason your probably finding it's not working, the ' and " characters are meta characters in SQL that have special meanings, if you just stick them in a string as is then MySQL will think that you are closing the value for that field and moving on.

avincent Newbie

avincent

Posted
  • Author
Posted

Kinda. $cat doesn't contain the string that I am refering to. It is actually the $subcat variable. The strange part is that within the drop down box on search.php it is displayed perfectly with no issues. Once you get to the results page is when the output for $subcat is jacked up.  I read a little into the  mysql_real_escape_string() you recommended, but I am having trouble figuring out where to put it within the code.

 

Do I just put it on the results page or is it supposed to go on the search page? and where?

cags Member

cags

Posted
Posted

It should be used on any variable that wasn't hard coded into the script by yourself, or in other words everything entered directly by the user. Generally speaking this will be values taken from the $_GET or $_POST superglobal arrays.

 

$cat = mysql_real_escape_string($_POST['cat']);
$subcat = mysql_real_escape_string($_POST['subcat']);

 

Btw, I noticed that the line declaring $subcat in the code you posted is missing a semicolon from the end.

avincent Newbie

avincent

Posted
  • Author
Posted

That didn't work :(

 

On the results page I put the following code:

<html>

<head>
<title></title>
</head>

<body>
<?php
$cat=$_POST['cat'];
$subcat = mysql_real_escape_string($_POST['subcat']);

echo $subcat;


?>
</body>

</html>

 

The example I am using is this:

When I go to search.php I select one of the objects in the first drop down box which determines what will be in the second drop down box. I then select the option i want from the second drop down box. I hit submit and I am taken to the search-results.php page. On this page I only want it to display $subcat. I am using these selections from the drop down boxes:

 

first drop down box ($cat):  Champagne

second drop down box ($subcat): Ca'Montini

 

Whats displayed on the search results page: Ca

 

not sure if it is just because i am leaving the page or what, but have been working on this for quite a while.

 

cags Member

cags

Posted
Posted

To be honest your confusing me, the topic is under MySQL help and seems to ask about the database, but the more you talk the more it seems to be an issue that has nothing to-do with the database, the last code block you posted doesn't even use the database you are simply echo'ing out a value selected by the user. Are you saying that the value echo'd by that code block you posted is giving Ca?

avincent Newbie

avincent

Posted
  • Author
Posted

Sorry for the confusion. I am passing database values selected by the user to a results page, but when they get to the results page they are not seeing the database value they selected. It only shows the value up to the apostrophe.

 

They select the option  Ca'Montini which is in the database and then after they hit submit they go to the results page that only shows them Ca.  It should be showing them the full word Ca'Montini which is the database value they selected.

cags Member

cags

Posted
Posted

In that case it sounds like the characters aren't being escaped correctly, which is odd because I thought forms did this by default, it perhaps depends on the settings on the server. Out of interest, two questions. Firstly if you run the code as is, when you click view source code in the browser, what is the value attribute of the <option> tag for Ca'Montini(I'm going to go ahead and assume that the name that appears in the drop down is Ca'Montini)? Secondly what do you get if you change...

 

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='$noticia[product_name]'>$noticia[product_name]</option>";
}
echo "</select>";

...to...

 

echo "<select name='subcat'><option value=''>Select one</option>";
while($noticia = mysql_fetch_array($quer)) { 
echo  "<option value='".urlencode($noticia[product_name])."'>$noticia[product_name]</option>";
}
echo "</select>";

cags Member

cags

Posted
Posted

It's because the ' is being recognised by the HTML parser as closing the value tag, you could have also fixed it by simply changing the output to something like this...

 

echo  '<option value="'.$noticia['product_name'].'">'.$noticia['product_name'].'</option>';

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.