Jump to content

preventing apostrophe/quotation mark issues

galvin

By galvin
in PHP Coding Help

 Share

Recommended Posts

galvin Advanced Member

galvin

Posted
Posted

I imagine there are lots of ways to answer this question, so I just want people's opinions as to the best way (if there is one).

 

I have code with a basic form that submits data to a MySQL database. 

 

So when someone submits data the first time, I "clean it up" by doing...

$_POST['data'] = trim(mysql_prep($_POST['data']));

 

.. and then submit that info into a "varchar" mySQL field.

 

Then if the user comes back to edit it, the form comes up and the data they previously entered is pulled into the field this way (I'm leaving out the MySQL to pull the data, obviously)...

 

<input type="text" name="field" value="<?php echo $data;?>">

 

The problem is that if someone entered this originally...

Here is "some" data with apostrophes

 

...Then when I echo that back into the value of the text field, it would only show...

Here is "

...and then cuts off because the quotation mark in the data conflicted with the quotation mark after value=

 

Is htmlentities the answer here, or is there some other/better way?

 

FYI...

 

 

function mysql_prep($value) {
	$magic_quotes_active = get_magic_quotes_gpc();
	$new_enough_php = function_exists("mysql_real_escape_string") ; //i.e. PHP >= v4.3.0
	if($new_enough_php) { //PHP v4.3.0 or higher
		//undo any magic quote effects so mysql_real_escape_string can do the work
		if($magic_quotes_active) { $value = stripslashes($value) ;}
		$value = mysql_real_escape_string($value);
	} else { //before php v4.3.0
		// if magic quotes aren;t already on then add slashes manually
		if(!magic_quotes_active) { $value = addslashes($value); }
		// if magic quotes are active, then the slashes already exist
	}
	return $value;
}

 

 

ManiacDan Regular Member

ManiacDan

Posted
Posted

Don't ever use addslashes.

 

Use stripslashes on input if magic_quotes are enabled, otherwise use the mysql_real_escape_string function (or its equivalent in whatever database you use) for inserting into your database.

 

Use htmlentities for echoing HTML, mysql_real_escape_string for inserting into mysql.

 

Also, the " symbol is "quotes" or usually "double-quotes."  A single ' is an apostrophe when it's inside a word, or "single quotes" when they surround a string.

 

-Dan

galvin Advanced Member

galvin

Posted
  • Author
Posted

Thanks everyone.  I also have some situations where someone submits info, but they didn't complete required fields, so I store the info they did enter into a Session variable and then echo that into the "value" so they don't have to reenter what they already typed.

 

I'm using HTMLentities to echo this data back and I'm finding that if someone enters a double quote like...

here is "something"

 

It gets echoed back (using HTMLentities) as...

here is \"something

 

And then if they submit again,  but don't fill in all fields again, it comes back as...

here is \\\"something

 

And it has potential to get a lot of those "escape" slashes if they keep missing required fields.

 

Should I not be using htmlentities in this case, since the data isn't coming from MySQL, but is instead just coming from a Session variable?

 

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.