Jump to content


Photo

addslashes() Problems


  • Please log in to reply
16 replies to this topic

#1 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 29 March 2005 - 11:32 PM

A while back I posted a question about how to deal with single and double quote marks in a string that I was trying to post back to a form field. I was told to use addslashes(). This seemed like it would be the answer to my questions, but now when I put it into practice I'm getting problems.

Here is the code I'm trying to use...

<input type=text name='headline' size=63 tabindex=13 value='<?php print addslashes($Headline); ?>'>

The problem is that with the code like this I'm getting a text field with a slash where my single quote should be and then everything else drops off.

Any thoughts on what I could do to correct my problem?

Thanks,
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#2 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 30 March 2005 - 01:10 AM

Don't use addslashes in this case. Change your code to:

<input type=text name='headline' size=63 tabindex=13 value="<?php print $Headline; ?>">

Notice that I've changed the single quotes to double quotes. This will prevent the browser from "thinking" that value stopped where it shouldn't stop. Also, by using this, your $Headline string can't contain double quotes
~ D Kuang

#3 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 03:34 PM

That is the problem I have. The text in $Headline could contain either a single quote, double quote, both or neither. I need to be able to import the and display the text in any case. If addslashes() doesn't work is there another option, or am I just using addslashes incorrectly?

Thanks,
Dave



Don't use addslashes in this case. Change your code to:

<input type=text name='headline' size=63 tabindex=13 value="<?php print $Headline; ?>">

Notice that I've changed the single quotes to double quotes. This will prevent the browser from "thinking" that value stopped where it shouldn't stop. Also, by using this, your $Headline string can't contain double quotes

View Post


You always get to choose your own lunch!
http://studio55salononline.com

#4 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 05:23 PM

OK...I think I have figured out a little more about my problem. I have two simple pages, a form and then a page that prints the data entered into the form.

Page1
<HTML>
<BODY>

<FORM ACTION='test2.php' METHOD=POST>
<TEXTAREA NAME='test' COLS=46 ROWS=7 ></TEXTAREA>
<input type='submit' name='submit' value='Pass Off!'>
</FORM>

</BODY>
</HTML>

Page2
<HTML>
<HEAD>
</HEAD>
<BODY>
<?php
print $_POST[test];
?>
</BODY>
</HTML>

If I enter text in the form that says...
This is David's test text

When it is printed on the next page it looks like this...
This is David\'s test text

It's like it is automatically doing the addslashes() function. Then by the time it gets to my database, everything after the \ is dropped.

I have another site with very similar code and it works correctly...what am I missing here?

Thanks,
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#5 bbaker

bbaker
  • Members
  • PipPipPip
  • Advanced Member
  • 127 posts
  • LocationNY

Posted 30 March 2005 - 05:36 PM

<HTML>
<HEAD>
</HEAD>
<BODY>
<?php
print stripslashes($_POST[test]);
?>
</BODY>
</HTML>


#6 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 05:39 PM

I tried your suggestion and it worked, but I'm frustrated that one time it worked without having to do this and now on this new site it doesn't. It makes me a little unsure of my results. I didn't have to do this with my other site.

It's also still not putting the data into the database correctly! ARRRHHHH!!
You always get to choose your own lunch!
http://studio55salononline.com

#7 bbaker

bbaker
  • Members
  • PipPipPip
  • Advanced Member
  • 127 posts
  • LocationNY

Posted 30 March 2005 - 06:03 PM

I tried your suggestion and it worked, but I'm frustrated that one time it worked without having to do this and now on this new site it doesn't. It makes me a little unsure of my results. I didn't have to do this with my other site.

It's also still not putting the data into the database correctly!  ARRRHHHH!!

View Post



are you doing addslashes($_POST[test]) before put it into the database?

#8 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 06:22 PM

I've tried many combinations of addslashes() and stripslashes() and I'm still getting the same results.
You always get to choose your own lunch!
http://studio55salononline.com

#9 bbaker

bbaker
  • Members
  • PipPipPip
  • Advanced Member
  • 127 posts
  • LocationNY

Posted 30 March 2005 - 07:59 PM

http://us4.php.net/m....addslashes.php
"The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this."

#10 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 09:40 PM

After pulling out a few more hairs and then reading your last message I realized you are correct. The slashes are already added to the string I get from my POST.

So that was part of my confusion, but I'm still having a problem when I do the insert into the MySQL database. It drops everything starting where the ' was. I've determined it must be something different with the way I've configured this database vs. the other one I use where this works. I don't, however, have any idea what that change would be.

Bothe databases are running on the same machine and I can't think of anything I would have done differently.

Anyone out there have any thoughts?
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#11 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 30 March 2005 - 10:57 PM

I have now come to a conclusion about what the problem is. I've actually got three pages...the form is broken down into two input pages. I pass the info from the first page to the second where I'm putting the data into hidden form fields. Those are then passed with the new info from the second page onto the third page which actually adds the data into the database. What is happening is the data from the first page is getting double escape characters.

I wanted to code it this way so I wasn't having to "hit" the database as often. Is there a way I can make it work the way I already have it coded?

Thanks,
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#12 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 03 April 2005 - 11:10 PM

Just a note: If you are trying to add them to a text field, use
htmlspecialchars and htmlentities to convert the single and double quotes.
~ D Kuang

#13 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 24 February 2006 - 07:00 PM

[!--quoteo(post=221163:date=Apr 3 2005, 05:10 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ Apr 3 2005, 05:10 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Just a note: If you are trying to add them to a text field, use
[a href=\"http://www.php.net/htmlspecialchars\" target=\"_blank\"]htmlspecialchars[/a] and [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a] to convert the single and double quotes.
[/quote]

This is exactly what I'm trying to do. Here is the situation...
Page one...Form Field for user to enter data. This data may have single quote, double quote, no quote or both quote marks. I have magic_quotes off in my PHP.ini file and on the insert page I'm using addslashes() around the $_POST[item].

The data is being entered into the database correctly, but when I bring the data back to be displayed in the form field, it drops anything after the single quote mark. I've tried adding htmlspecialchars() and htmlentities, but niether are working. I'm adding htmlentities() around the data I receive from my select statement before I try and display it in a form text box.

BTW...I'm using PHP 5.1.2, Apache2 and MySQL 5.0.15

Please help! I'm pulling my hair out and I don't have much left to start with.

Thanks,
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#14 Squirrel*Salad

Squirrel*Salad
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 26 February 2006 - 09:18 AM

here is what i do to stop faults like this

in a file called mainfile.php that is included on each page i have the following.


/**
* Disable magic_quotes_runtime
*/
set_magic_quotes_runtime( 0 );


/**
* Addslashes to variables if magic_quote_gpc is set to off
*/
if ( !get_magic_quotes_gpc() )
{
    if ( is_array( $HTTP_GET_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_GET_VARS ) )
        {
            if ( is_array( $HTTP_GET_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_GET_VARS[$k] ) )
                {
                    $HTTP_GET_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_GET_VARS[$k] );
            } 
            else
            {
                $HTTP_GET_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_GET_VARS );
    } 

    if ( is_array( $HTTP_POST_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_POST_VARS ) )
        {
            if ( is_array( $HTTP_POST_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_POST_VARS[$k] ) )
                {
                    $HTTP_POST_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_POST_VARS[$k] );
            } 
            else
            {
                $HTTP_POST_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_POST_VARS );
    } 

    if ( is_array( $HTTP_COOKIE_VARS ) )
    {
        while ( list( $k, $v ) = each( $HTTP_COOKIE_VARS ) )
        {
            if ( is_array( $HTTP_COOKIE_VARS[$k] ) )
            {
                while ( list( $k2, $v2 ) = each( $HTTP_COOKIE_VARS[$k] ) )
                {
                    $HTTP_COOKIE_VARS[$k][$k2] = addslashes( $v2 );
                } 
                @reset( $HTTP_COOKIE_VARS[$k] );
            } 
            else
            {
                $HTTP_COOKIE_VARS[$k] = addslashes( $v );
            } 
        } 
        @reset( $HTTP_COOKIE_VARS );
    } 
} 



this way i know all data has had slashes added. then you only have to use strip slashes when displaying data and not when adding to database.

#15 shai1

shai1
  • Members
  • PipPip
  • Member
  • 24 posts

Posted 02 March 2006 - 10:16 PM

My problem now has more to do with the stripslashes function rather than addslashes. When I try and display the data back into the input field I get anything after the ' cut off because that is the character that encloses the data to be displayed.

What do I do to solve this problem?

Thanks,
Dave
You always get to choose your own lunch!
http://studio55salononline.com

#16 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 03 March 2006 - 01:02 AM

<input type=text name='headline' size=63 tabindex=13 value='<?php echo htmlspecialchars($Headline); ?>'>

That doesn't solve your problem?

#17 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 03 March 2006 - 03:19 AM

Here is a short script which does what you want:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
    <title>Form Test</title>
    <style type="text/css">
        body, html {
            padding: 0;
            margin: 0;
            font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
            font-size: 100%;
        }
        .txtinp {
            width: 90%;
        }
        
        form {
            display: block;
            width: 90%;
            margin-left: auto;
            margin-right: auto;
            border: 1px solid red;
            padding: 0.5em;
            margin-top: 1em;
        }
        
        .sub {
            text-align: center;
            color: Red;
            font-weight: bold;
        }

        .fw {
            display: block;
            width: 100%;
            text-align: center;
        }
        
        .label {
            font-weight: bold;
        }
        
        .dispit {
            text-align:center;width:100%;display:block;
        }
    </style>
</head>

<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']?>">
<span class="label">Input1: </span><input class="txtinp" name="input1" <?php if (isset($_POST['input1'])) echo 'value="' . htmlentities(stripslashes($_POST['input1']),ENT_COMPAT) . '"'; ?>><br>
<span class="fw"><input type="submit" class="sub" name="submit" value="Test It"></span>
</form>
<?php
if (isset($_POST['submit'])){
 echo '<pre>'.print_r($_POST,true).'</pre>';
 echo 'Raw input: <br><span class="dispit" style="color:red;">' . $_POST['input1'] . "</span><br><br>\n";
 echo 'Input after applying stripslashes and htmlentities with the ENT_COMPAT option: <br><span class="dispit" style="color:blue;">' . htmlentities(stripslashes($_POST['input1']),ENT_COMPAT) . "</span><br>\n";
}
?>

</body>
</html>


See it in action at [a href=\"http://www.rbnsn.com/examples/form_value_test.php\" target=\"_blank\"]http://www.rbnsn.com/examples/form_value_test.php[/a]

Ken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users