Having trouble with slashes \ and apostrophies ' . Help appreciated.

[ade2901]

Hi all,

 

I've been having some trouble with the whole slashes and apostrophy situation.

 

When the user enters into the database locally they can enter in apostophies no problem and it outputs on the site no problem.

 

When the user edits the data it then alters it and removes apostrophies from the headline field, not the text editor field (tinyMCE).

 

However, when I test it on the web (it's secured so I am unable to provide a link), there are more problems, those being that when it enters into the database it adds slashes where there are apostrophies but doesn't do this locally... Could this by a PHP version issue? Version 5.3.5 on the web and 5.3.1 locally.

 

In addition when the you come to edit the data all of the apostropies and following letter have been removed and slashes put in their place. But as I say this doesn't happen locally..

 

Here is the insert statement:

 

<?php
require_once('auth.php');
?>
<?php

$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


$newsHeadline = $_POST['newsHeadline'];
$newsContent = $_POST['newsContent'];



    $query = "INSERT INTO news (newsDate, newsHeadline, newsContent) VALUES ('".date("l"." "."j"." "."F"." "."Y")."','".mysql_real_escape_string($newsHeadline)."','".mysql_real_escape_string($newsContent)."')"; 
if(mysql_query($query))
{
        echo "News successfully inserted.<br/><a href='addNews.php'>Back to main page</a><br/>";
}else  
        echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>";


// close connection
mysql_close();
?>

 

Here is the php to output the text

// while there are rows to be fetched...
while ($list = mysql_fetch_assoc($resultSelectNewsData)) {
   // echo data
   echo "<div class='newsArticle'><p class='newsHeadline'>";
   echo stripslashes ($list['newsHeadline']);
   echo "<br /><span class='nDate'>Posted on: ".$list['newsDate']."</span></p><div class='newsContent'><p>";
   echo stripslashes ($list['newsContent']);
   echo "</p></div><!--news content end--><br /></div><!--news article end-->";
} // end while

 

 

 

Here is the PHP to view the data ready to edit:

 

<?php
require_once('auth.php');
?>
<?php $pagetitle = "Langbaurgh Sunday League";?>


<?php include("includesAdmin/header.php");?>
<?php include("includesAdmin/nav.php");?>
  <div id="mainContentAdmin">
  	<h1>Admin Panel</h1>

<?php
// Make a MySQL Connection

$newsID=$_GET['newsID'];
//Query to join tables and obtain team names linked to IDs
$sql2= mysql_query ("SELECT * FROM news WHERE newsID = '$newsID'")or die(mysql_error());

echo "<form name='editDetails' method='post' action='php_update_news_item.php'>";

$row = mysql_fetch_array($sql2);

// Print out the contents of each row
echo "<input type='hidden' name='newsID' id='newsID' size='15' value='".$row['newsID']."'/>";
echo"News Headine: <br /><input type='text' name='newsHeadline' id='newsHeadline' size='40' value='".$row['newsHeadline']."'/><br />";
echo"News Story: <br /><textarea name='newsContent' id='newsContent' cols='50' rows='15'>".$row['newsContent']."</textarea>";
echo "<input type='submit' name='submit' value='Update News Story'/>";
mysql_close();

?>

  </div><!--contentAreaEnd-->


<?php include("includesAdmin/footer.php");?>

 

 

Here is the file to update the data

<?php
require_once('auth.php');
?>
<?php

$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$newsID = $_POST['newsID'];
$newsHeadline = $_POST['newsHeadline'];
$newsContent = $_POST['newsContent'];



    $query = "UPDATE news SET newsHeadline='".mysql_real_escape_string($newsHeadline)."', newsContent='".mysql_real_escape_string($newsContent)."' WHERE newsID='".mysql_real_escape_string($newsID)."'"; 
if(mysql_query($query))
{
        echo "News successfully updated.<br/><a href='view_news_id.php'>Back to news viewing</a><br/>";
}else  
        echo "Encountered an error.".mysql_error()."<a href='javascript:history.go(-1)'>Click here to go back</a><br/>";


// close connection
mysql_close();
?>

 

 

All help would be massively appreciated as I am really stuck with this. I've tried all sorts including stripslashes, trim, a combination of both, yet I hit snags with each one of them..

 

Many thanks in advance,

 

Aidan

 

[requinix]

When getting data from a form, (1) stripslashes() it only if magic_quotes is enabled. You can do

$value = $_POST["value"];
if (function_exists("get_magic_quotes_gpc") && get_magic_quotes_gpc()) $value = stripslashes($value);

(2) Do nothing else to it until (3) mysql_real_escape_string() and your SQL queries.

When getting data from the database, (4) do nothing to it. Exceptions are for (5) using htmlentities() and htmlspecialchars().

 

 

A quick glance says the only thing you're doing wrong is step 2 by calling stripslashes() on the stuff from the database. Don't.

[ade2901]

Hi, thanks for that. I'll give it a go tomorrow. The reason I have stripslashes is because it prints out the slashes entered into the database as it isn't removing them when the data is entered into the database. Locally it seems to nearly work but on the server It's entirly different.. the slashes are stored in the database on the server hence the need to strip slashes. On my local server the slashes aren't stored. Very strange.. Thanks again for your reply :-).

[requinix]

It's probably a matter of one server having magic_quotes enabled (which is bad) and the other not (which is good).

[ade2901]

Thanks Requinix, turns out it was the magic quotes.. I had wondered!

 

Only problem now is that when you go to edit the data the apostrophies are omitted from the 'headline' field. Does anyone know where I could be going wrong with this? This will relate to the code "Here is the PHP to view the data ready to edit:"

 

All help as always is extremely appreciated!

[requinix]

And now you're missing out on step 5.

 

With an apostrophe the HTML for the headline's looks like

See how the apostrophe interrupts the value? You need to escape it with a function like htmlentities:

""

There might be something else going on besides missing that.

 

Basically, all your data should flow like:

1. User enters value in form

2. You grab $value from the form and stripslashes() it only if magic_quotes is enabled

3. You use mysql_real_escape_string($value) in your SQL - not $value directly.

4. Coming back out, you use htmlspecialchars() or htmlentities(), perhaps with ENT_QUOTES if you specifically need apostrophes escaped, when displaying the value.

There shouldn't be any other addslashes()s or stripslashes()s or mysql_real_escape_string()s or htmlspecialchars()s or htmlentities()s.