How to take input from user with ' in it and then echo out to a webpage.

[00stuff]

Hi guys, I am creating a simple page that takes input from the user in several text boxes and one text area. Then when you click on the submit button it stores that data into a MySQL database. Additional to this input page there will be a second page that shows the data that was stored in the database. It should be a simple project. The problem that I'm having is that when the user inputs data with ' apostrophes in it. It crashes my code. It doesn't show what ever is after the ' apostrophe is disregarded and the data doesn't show with the echo command.

 

I really don't know what to do. I tried using some addslashes and removeslashes functions but they did not work. Maybe I used them incorrectly. That is why I need help. Here is my code.

 

page that takes input: ( right now it is also the page that shows the data from the database. I will separate it later. )

 

 

<html>
<head>
<title>Tutorial Input</title>
</head>
<body link="blue" vlink="blue" alink="blue">
<h2> New Article </h2>
<br>
<form name="tutorial_form" method="post" action="inputarticle.php">

Title: <input name="tutorial_title" type="text"> Category: <input name="tutorial_category" type="text">
<br><br>
Content:<br>
<textarea rows='10' cols='90' name='tutorial_content'>
</textarea><br><br>
Tags:<br>
<textarea rows='5' cols='30' name='tutorial_tags'>
</textarea><br><br>
<input type="submit" value="Submit">

</form>
<br>
<hr>
<br>

<?php

$con = mysql_connect("host","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }


mysql_select_db("database", $con);

$result = mysql_query("SELECT * FROM tutorial_articles ORDER BY title");


while($row = mysql_fetch_array($result))
  {
  
   $link = "<a href='tutorialshow.php?id=" . $row['id'] . "&title=" . $row['title'] . "&category=" . $row['category'] . "&content=" . $row['content'] . "&tags=" . $row['tags'] . "' target='new'>" . $row['title'] . "</a>";
    


echo $link . "<br>";

  }


mysql_close($con);
?> 



</body>
</html>

 

Then the code that enters the data to the database is this.

 

<?php


$a_title = $_POST["tutorial_title"];
$a_category = $_POST["tutorial_category"];
$a_content = $_POST["tutorial_content"];
$a_tags = $_POST["tutorial_tags"];



$con = mysql_connect("host","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }



mysql_select_db("itdirectory", $con);

$sql="INSERT INTO tutorial_articles (title, category, content, tags)
VALUES
('$a_title','$a_category','$a_content','$a_tags')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";


mysql_close($con);
?>  


<html>
<head>
<script type="text/javascript">
<!--
function delayer(){    window.location = "tutorialform.php"}
//-->
</script>
</head>

<body onLoad="setTimeout('delayer()', 3000)"><h2>Prepare to be redirected!</h2>




</body>
</html>

 

 

Then the last page is just the page that opens after someone clicks on the link that is displayed on the input/link page:

 

<?php 

$id = $_GET['id'];
$title = $_GET['title'];
$category = $_GET['category'];
$content = $_GET['content'];
$tags = $_GET['tags'];

?>

<html>
<head>
<title><?php echo $title; ?></title>
</head>

<body>

<?php 

echo "<font size='5'>" . $title . "</font> - <font color='green' size='2'>" . $category . "</font><br><br>";

echo $content; 



?>

</body>
</html>

 

Any help is welcome. Thanks in advanced.

EDITed for CODE tags

[msaz87]

Use the addslashes function to escape any characters that would screw it up...

 

$a_title = addslashes($_POST["tutorial_title"]);
$a_category = addslashes($_POST["tutorial_category"]);
$a_content = addslashes($_POST["tutorial_content"]);
$a_tags = addslashes($_POST["tutorial_tags"]);

[PFMaBiSmAd]

A ' has meaning in HTML and it will break the HTML on your page if you simply echo/output it. Any content that you output on a page (that is not intended to be html tags) needs to be passed through htmlentities with the second parameter set to ENT_QUOTES

[00stuff]

Ok, guys I tried the htmlentities() with the second parameter set to ENT_QUOTES like this:

 

$link = "<a href='tutorialshow.php?id=" . $row['id'] . "&title=" . htmlentities($row['title'], ENT_QUOTES) . "&category=" . htmlentities($row['category'], ENT_QUOTES) . "&content=" . htmlentities($row['content'], ENT_QUOTES) . "&tags=" . htmlentities($row['tags'], ENT_QUOTES) . "' target='new'>" . htmlentities($row['title'], ENT_QUOTES) . "</a>";

 

echo $link . "<br>";

 

but I get this on the output for the title part (the part with the ' )

Can\'t be working.

 

It places that \ and I don't need that. Do I have to use that stripslash function now?

[webmaster1]

It places that \ and I don't need that. Do I have to use that stripslash function now?

 

Yes. Stripslashes will do the trick.

 

<?php
// Remove backslashes...
stripslashes($somevariable);
// Notes: http://php.net/manual/en/function.stripslashes.php
?>

[00stuff]

Thanks guys, you helped a lot. I tried the stripslashes() and it worked. Now I can take input with ' on the data and echo it out without any problems. Thanks a lot.