Problem with apostrophes

[Jimmyfr]

Hi. Apologies in advance if this is a stupid question, but hoping someone can help. I'm trying to help a friend who is running a photo gallery script on his website. The developer of the script is not supporting it any longer and I have limited php knowledge.

I've been told by his ISP that the script will only work on PHP version 5.6. The problem he has is that when he is adding descriptions to the photos via a back end form, if he uses an apostrophe as in O'Sullivan for example, when he saves the entry, the description text does not show at all. This seems to be a conflict with the php language. Is there a line of code that I can add to the config file or somewhere that will get around this problem?

Thanks in advance for any help you can give.

[Phi11W]

It's not a "conflict with the php language" - it's downright sloppy work on the part of your "Developer". 

People's names have had apostrophes in them for centuries.  In more recent decades, programming and markup languages (like PHP and HTML) have used apostrophes to delimit the start and end of things like string literals and attribute values. 

Your Developer has failed to take into account this conflict between the two usages of this innocuous-looking character (and, indeed, if this data is going anywhere near a Database, the tools and techniques that have also been around for many years that get around this particular problem, specifically Parameterised Queries). 

Your User might be able to work around this problem by "doubling-up" the apostrophes when entering them into the "back end form" (i.e. type the ' character twice), as in [ O''Sullivan ]. 
This might at least get the data safely into the Database (if that's where it's going) but won't guarantee that the data will render correctly at the HTML end of things.   

This could have been a lot worse.  
Obligatory XKCD Reference: Little Bobby Tables. 

I would recommend that you acquire the services of someone who actually knows what they're doing with PHP to assist you in this. 

Regards, 
   Phill  W.

 

[Jimmyfr]

Thanks for getting back to me. There's not much I can do about what's gone before, perhaps that's why the guy isn't supporting it any longer. To answer your last point. The reason I posted here was because I was hoping that "someone who actually knows what they're doing with PHP  could assist me in this.".

[Barand]

It could be the HTML markup style when using quotes within quotes

For example

    $name = "O'Sullivan";

    echo "
        <form>
            Enter surname <input type='text' name='surname' value='$name'>
            <br>
            <button type='submit' >Submit</button>
        </form>
    ";

displays

 

Whereas

    $name = "O'Sullivan";

    echo "
        <form>
            Enter surname <input type='text' name='surname' value=\"$name\">              <!-- changed quotes around $name -->
            <br>
            <button type='submit' >Submit</button>
        </form>
    ";

displays

You also need to ensure that prepared statements are used when updating your DB tables as this will correctly handle such surname data.

[Jimmyfr]

Thanks for that Barand, much appreciated. Trying to find the file with the form fields in lol!!

[Barand]

Bear in mind that that is only one example. The same situation can occur at other places along the "input/store/output" process.

[Psycho]

1 hour ago, Jimmyfr said:

Thanks for that Barand, much appreciated. Trying to find the file with the form fields in lol!!

Before you do that, you can verify if that is the problem. View the source of the page where the full name is not displayed and see if it is there in the content, but in such a way that it is malformed. You originally stated " . . . he is adding descriptions to the photos via a back end form, if he uses an apostrophe as in O'Sullivan for example, when he saves the entry, the description text does not show at all."

First, I think it would be unlikely that output of the descriptions would be within an attribute. It might make sense if using the ALT attribute for an image, but that isn't normally "displayed" on the page. Second, if the problem is something akin to what @Barand states, I would expect "O" (in O'Sullivan) to be displayed as the description.

I would suggest first checking the database. Is the full value of the description saved? If yes, then you have a problem with how the output of that value is done. Is the field empty or only containing the value before the apostrophe? If so, then the problem is with saving that content (although you could still have an output problem once you solve that). My guess is that you have a problem in saving the data, but I would expect there to be failures if data with apostrophes were not being handled in the code. For example, if the description was one of the DB fields for images, then a malformed SQL statement would not save an image but not the description. So, I am thinking one of two things:

1) The descriptions are saved to a separate table after the image record is saved. In this instance the SQL to insert the description record could fail after the image record was saved. If errors are suppressed there may be no outward display of a problem.

2) The workflow involves creating the image record first and then adding a description value in that same record as a second use case. In this scenario, the first record would save the image record. But, when attempting to update the image record with a malformed query it would fail. Again, if errors are suppressed, there may be no indicator that there was a problem.

[Jimmyfr]

Hi Psycho

Thanks for your help. None of the text shows when an entry is saved with an apostrophe, I'll check out the db, but I don't think it will be stored there either. The only thing that works so far is Phill's double apostrophe entry.

[ginerjm]

And that is one great reason for using prepared queries.  Look it up in the manual and change your 'save' queries to use prepared statements.  That will solve half your problems.  You will then have to handle the output features 

[Jimmyfr]

20 hours ago, ginerjm said:

And that is one great reason for using prepared queries.  Look it up in the manual and change your 'save' queries to use prepared statements.  That will solve half your problems.  You will then have to handle the output features 

As I said in my original post, I am trying to help a handicapped friend with a problem on his charity page. So telling me what I should or should not have done is a, not relevant and b. not helpful. On the other hand telling me the solution, would be!

[ginerjm]

I am telling you the solution.  Use prepared queries.  What? You are going to give your friend a half-solution because you don't want to make some changes?  Whether he is handicapped or not is the problem.  You have told us the problem.  I do think we are telling you how to solve it.  

[Barand]

Was your friend's ISP kind enough to say why it will only work on version 5.6?

And by that statement do they mean the script requires 5.6 or earlier, or do they mean it requires 5.6 or later? (it's unlikely that something will run on one version only)

[gizmola]

5 hours ago, Jimmyfr said:

As I said in my original post, I am trying to help a handicapped friend with a problem on his charity page. So telling me what I should or should not have done is a, not relevant and b. not helpful. On the other hand telling me the solution, would be!

There are any number of things it could be.  Your post is the equivalent of going on a Car mechanic's site, and making a post that says:  "There's a weird sound coming from the right front corner of my 79 Subaru and the car won't stop properly now.  Oh yeah I drove by the DMV and they said that only people who exclusively work on 79 Subaru's could fix it, assuming it could be fixed.  Tell me how to fix this, and btw I'm not in any way mechanical!"

What do you actually expect us to do here, other than make the educated guesses that have been made?  We have some standards and practices here, and pretty much anywhere else where people help others with code problems or questions, and that is that we need to see some relevant code.