addslashes() Problems

[shai1]

A while back I posted a question about how to deal with single and double quote marks in a string that I was trying to post back to a form field. I was told to use addslashes(). This seemed like it would be the answer to my questions, but now when I put it into practice I'm getting problems.

 

Here is the code I'm trying to use...

 

<input type=text name='headline' size=63 tabindex=13 value='<?php print addslashes($Headline); ?>'>

 

The problem is that with the code like this I'm getting a text field with a slash where my single quote should be and then everything else drops off.

 

Any thoughts on what I could do to correct my problem?

 

Thanks,

Dave

[poirot]

Don't use addslashes in this case. Change your code to:

 

<input type=text name='headline' size=63 tabindex=13 value="<?php print $Headline; ?>">

 

Notice that I've changed the single quotes to double quotes. This will prevent the browser from "thinking" that value stopped where it shouldn't stop. Also, by using this, your $Headline string can't contain double quotes

[shai1]

That is the problem I have. The text in $Headline could contain either a single quote, double quote, both or neither. I need to be able to import the and display the text in any case. If addslashes() doesn't work is there another option, or am I just using addslashes incorrectly?

 

Thanks,

Dave

 

 

 

Don't use addslashes in this case. Change your code to:

 

<input type=text name='headline' size=63 tabindex=13 value="<?php print $Headline; ?>">

 

Notice that I've changed the single quotes to double quotes. This will prevent the browser from "thinking" that value stopped where it shouldn't stop. Also, by using this, your $Headline string can't contain double quotes

219559[/snapback]

 

[shai1]

OK...I think I have figured out a little more about my problem. I have two simple pages, a form and then a page that prints the data entered into the form.

 

Page1

<HTML>
<BODY>

<FORM ACTION='test2.php' METHOD=POST>
<TEXTAREA NAME='test' COLS=46 ROWS=7 ></TEXTAREA>
<input type='submit' name='submit' value='Pass Off!'>
</FORM>

</BODY>
</HTML>

 

Page2

<HTML>
<HEAD>
</HEAD>
<BODY>
<?php
print $_POST[test];
?>
</BODY>
</HTML>

 

If I enter text in the form that says...

This is David's test text

 

When it is printed on the next page it looks like this...

This is David\'s test text

 

It's like it is automatically doing the addslashes() function. Then by the time it gets to my database, everything after the \ is dropped.

 

I have another site with very similar code and it works correctly...what am I missing here?

 

Thanks,

Dave

[bbaker]

<HTML>
<HEAD>
</HEAD>
<BODY>
<?php
print stripslashes($_POST[test]);
?>
</BODY>
</HTML>

[shai1]

I tried your suggestion and it worked, but I'm frustrated that one time it worked without having to do this and now on this new site it doesn't. It makes me a little unsure of my results. I didn't have to do this with my other site.

 

It's also still not putting the data into the database correctly! ARRRHHHH!!

[bbaker]

I tried your suggestion and it worked, but I'm frustrated that one time it worked without having to do this and now on this new site it doesn't. It makes me a little unsure of my results. I didn't have to do this with my other site.

 

It's also still not putting the data into the database correctly!  ARRRHHHH!!

219830[/snapback]

 

 

are you doing addslashes($_POST[test]) before put it into the database?

[shai1]

I've tried many combinations of addslashes() and stripslashes() and I'm still getting the same results.

[bbaker]

http://us4.php.net/manual/en/function.addslashes.php

"The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this."

[shai1]

After pulling out a few more hairs and then reading your last message I realized you are correct. The slashes are already added to the string I get from my POST.

 

So that was part of my confusion, but I'm still having a problem when I do the insert into the MySQL database. It drops everything starting where the ' was. I've determined it must be something different with the way I've configured this database vs. the other one I use where this works. I don't, however, have any idea what that change would be.

 

Bothe databases are running on the same machine and I can't think of anything I would have done differently.

 

Anyone out there have any thoughts?

Dave

[shai1]

I have now come to a conclusion about what the problem is. I've actually got three pages...the form is broken down into two input pages. I pass the info from the first page to the second where I'm putting the data into hidden form fields. Those are then passed with the new info from the second page onto the third page which actually adds the data into the database. What is happening is the data from the first page is getting double escape characters.

 

I wanted to code it this way so I wasn't having to "hit" the database as often. Is there a way I can make it work the way I already have it coded?

 

Thanks,

Dave

[poirot]

Just a note: If you are trying to add them to a text field, use

htmlspecialchars and htmlentities to convert the single and double quotes.

[shai1]

[!--quoteo(post=221163:date=Apr 3 2005, 05:10 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ Apr 3 2005, 05:10 PM) 221163[/snapback][/div][div class=\'quotemain\'][!--quotec--]

Just a note: If you are trying to add them to a text field, use

[a href=\"http://www.php.net/htmlspecialchars\" target=\"_blank\"]htmlspecialchars[/a] and [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a] to convert the single and double quotes.

 

This is exactly what I'm trying to do. Here is the situation...

Page one...Form Field for user to enter data. This data may have single quote, double quote, no quote or both quote marks. I have magic_quotes off in my PHP.ini file and on the insert page I'm using addslashes() around the $_POST[item].

 

The data is being entered into the database correctly, but when I bring the data back to be displayed in the form field, it drops anything after the single quote mark. I've tried adding htmlspecialchars() and htmlentities, but niether are working. I'm adding htmlentities() around the data I receive from my select statement before I try and display it in a form text box.

 

BTW...I'm using PHP 5.1.2, Apache2 and MySQL 5.0.15

 

Please help! I'm pulling my hair out and I don't have much left to start with.

 

Thanks,

Dave

[Squirrel*Salad]

here is what i do to stop faults like this

 

in a file called mainfile.php that is included on each page i have the following.

 

/**
* Disable magic_quotes_runtime
*/
set_magic_quotes_runtime( 0 );


/**
* Addslashes to variables if magic_quote_gpc is set to off
*/
if ( !get_magic_quotes_gpc() )
{
    if ( is_array( $HTTP_GET_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_GET_VARS ) )
        {
            if ( is_array( $HTTP_GET_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_GET_VARS[$k] ) )
                {
                    $HTTP_GET_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_GET_VARS[$k] );
            } 
            else
            {
                $HTTP_GET_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_GET_VARS );
    } 

    if ( is_array( $HTTP_POST_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_POST_VARS ) )
        {
            if ( is_array( $HTTP_POST_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_POST_VARS[$k] ) )
                {
                    $HTTP_POST_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_POST_VARS[$k] );
            } 
            else
            {
                $HTTP_POST_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_POST_VARS );
    } 

    if ( is_array( $HTTP_COOKIE_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_COOKIE_VARS ) )
        {
            if ( is_array( $HTTP_COOKIE_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_COOKIE_VARS[$k] ) )
                {
                    $HTTP_COOKIE_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_COOKIE_VARS[$k] );
            } 
            else
            {
                $HTTP_COOKIE_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_COOKIE_VARS );
    } 
} 

 

 

this way i know all data has had slashes added. then you only have to use strip slashes when displaying data and not when adding to database.

[shai1]

My problem now has more to do with the stripslashes function rather than addslashes. When I try and display the data back into the input field I get anything after the ' cut off because that is the character that encloses the data to be displayed.

 

What do I do to solve this problem?

 

Thanks,

Dave

[wickning1]

<input type=text name='headline' size=63 tabindex=13 value='<?php echo htmlspecialchars($Headline); ?>'>

 

That doesn't solve your problem?

[kenrbnsn]

Here is a short script which does what you want:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
    <title>Form Test</title>
    <style type="text/css">
        body, html {
            padding: 0;
            margin: 0;
            font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
            font-size: 100%;
        }
        .txtinp {
            width: 90%;
        }
        
        form {
            display: block;
            width: 90%;
            margin-left: auto;
            margin-right: auto;
            border: 1px solid red;
            padding: 0.5em;
            margin-top: 1em;
        }
        
        .sub {
            text-align: center;
            color: Red;
            font-weight: bold;
        }

        .fw {
            display: block;
            width: 100%;
            text-align: center;
        }
        
        .label {
            font-weight: bold;
        }
        
        .dispit {
            text-align:center;width:100%;display:block;
        }
    </style>
</head>

<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']?>">
<span class="label">Input1: </span><input class="txtinp" name="input1" <?php if (isset($_POST['input1'])) echo 'value="' . htmlentities(stripslashes($_POST['input1']),ENT_COMPAT) . '"'; ?>><br>
<span class="fw"><input type="submit" class="sub" name="submit" value="Test It"></span>
</form>
<?php
if (isset($_POST['submit'])){
echo '<pre>'.print_r($_POST,true).'</pre>';
echo 'Raw input: <br><span class="dispit" style="color:red;">' . $_POST['input1'] . "</span><br><br>\n";
echo 'Input after applying stripslashes and htmlentities with the ENT_COMPAT option: <br><span class="dispit" style="color:blue;">' . htmlentities(stripslashes($_POST['input1']),ENT_COMPAT) . "</span><br>\n";
}
?>

</body>
</html>

 

See it in action at [a href=\"http://www.rbnsn.com/examples/form_value_test.php\" target=\"_blank\"]http://www.rbnsn.com/examples/form_value_test.php[/a]

 

Ken