Entering Quotations into Databases

[Xtremer360]

What's the best way for putting actual quotations into a database?

 

I was using...

 

$quote = htmlspecialchars(mysqli_real_escape_string($dbc, $_POST['quote']));

 

Should I be?

[BlueSkyIS]

i wouldn't use htmlspecialchars on a string before storing it.

[Xtremer360]

okay thank you however when I'm pulling it out to display it I have stripslashes($row[ 'quote' ]); and it's not stripping out those backslashes.

[BlueSkyIS]

if you have magic quotes enabled, you'll want to stripslashes() before using mysql_real_escape_string(), otherwise you'll get two sets of slashes instead of one.

 

$quote = $_POST['quote'];
if (get_magic_quotes_gpc()) {
$quote = stripslashes($quote);
}
$quote = mysql_real_escape_string($quote);

[Xtremer360]

Okay so I have:

 

$query = "SELECT DATE_FORMAT(quotes.datecreated, '%M %d, %Y') AS datecreated, id, quote FROM quotes";
$result = mysqli_query ( $dbc, $query ); // Run The Query
$rows = mysqli_num_rows($result);
stripslashes($row[ 'quote' ]);

<?php 
        while ( $row = mysqli_fetch_array ( $result, MYSQL_ASSOC ) ) {
              echo '
              <tr>
                  <td><input type=checkbox class=checkbox value="' . $row['id'] . '" /></td>
                  <td>' . $row['quote'] . '</a></td>
    			  <td class=last>' . $row['datecreated'] . '</td>
		  </tr>';
            }
            ?>

 

And its still showing the backslashes.

[BlueSkyIS]

you should not have to use stripslashes() on stored data.

 

there shouldn't be any extra slashes in your data. if there are extra slashes in your data, they were put there because of improper filtering of input. you should remove the slashes in the database and filter the input SQL properly so you don't have to stripslashes() on the data when you retrieve it.

[Xtremer360]

I guess I'm still confused because this is what I have for the form submission.

 

$quote = mysqli_real_escape_string($dbc, $_POST['quote']);

 

So if on my form the user puts "This is just a test quote". That's how I want it to appear in the database.

[BlueSkyIS]

because magic quotes is probably on, so you ended up inserting with double slashes. see code above, here modified for mysqli

 

$quote = $_POST['quote'];
if (get_magic_quotes_gpc()) {
$quote = stripslashes($quote);
}
$quote = mysqli_real_escape_string($dbc, $_POST['quote']);

[Xtremer360]

It still did it.

 

<?php

// Include the database page
require ('../inc/dbconfig.php');

if (isset($_POST['submitquote'])) {
    $quote = $_POST['quote'];
    if (get_magic_quotes_gpc()) {
       $quote = stripslashes($quote);
    }
    $quote = mysqli_real_escape_string($dbc, $_POST['quote']);

    $query = "INSERT INTO `quotes` 
            (quote, character_id, datecreated) 
        VALUES 
            ('$quote', 1, NOW())";
    
    mysqli_query($dbc,$query);
    
}
        
?>

[BlueSkyIS]

what still did what? can you post your latest code?

[Xtremer360]

I just did above. That's for the form processing page and here's for the actual form.

 

<?php

// Include the database page
require ('../inc/dbconfig.php');

?>

<script type="text/javascript">
$(document).ready(function() {
    $('div.message-error').hide();
    $('div.message-success').hide();
    $("input.submit").click(function() {
        $('div.message-error').hide();
        var quote = $("input#quote").val();
    	if (quote == "") {
            $("div.message-error").show();
            $("input#quote").focus();
            return false;
        }
        var dataString = 'quote=' + quote + '&submitquote=True';
        $.ajax({
        type: "POST",
        url: "processes/quote.php",
        data: dataString,
        success: function() {
            $('div.message-error').hide();
            $("div.message-success").html("<h6>Operation successful</h6><p>" + quote + " saved successfully.</p>");
            $("div.message-success").show().delay(10000).hide("slow");
            $(':input','#quotesform')
            .not(':submit')
            .val('')
            return true;
            }
        });
        return false;    
    });
});
</script>

<!-- Form -->
<form action="#" id="quotesform">
<fieldset>
	<legend>Add New Quote</legend>
        <div class="field required">
		<label for="quote">Quote</label>
		<input type="text" class="text" name="quote" id="quote" title="Quote"/>
		<span class="required-icon tooltip" title="Required field - This field is required, it cannot be blank, and must contain something that is different from emptyness in order to be filled in. ">Required</span>
	</div>
        	<input type="submit" class="submit" name="submitquote" id="submitquote" title="Submit Quote" value="Submit Quote"/>
</fieldset>
</form>
<!-- /Form -->

<!-- Messages -->
<div class="message message-error">
    <h6>Required field missing</h6>
    <p>Please fill in all required fields. </p>
</div>

<div class="message message-success">
    <h6>Operation succesful</h6>
    <p>Content Page was added to the database.</p>
</div>
<!-- /Messages -->

[BlueSkyIS]

it still inserts double slashes into the database?

[Xtremer360]

yep

[BlueSkyIS]

it shouldn't but as an experiment try removing the if

 

$quote = $_POST['quote'];
$quote = stripslashes($quote);
$quote = mysqli_real_escape_string($dbc, $_POST['quote']);

 

and how are you looking at the stored data? using phpmyadmin or something?

[BlueSkyIS]

sorry, I am a part-time idiot. try this.

 

$quote = $_POST['quote'];
if (get_magic_quotes_gpc()) {
$quote = stripslashes($quote);
}
$quote = mysqli_real_escape_string($dbc, $quote);

 

in the previous posts, I modified $quote, but then used mysqli_real_escape_string on $_POST['quote']. bad.

[Xtremer360]

That worked. Thank you.