Issues with quotes when passing strings twice in forms.

[fuzzyweasel]

Hi all,

 

I've been looking everywhere for someone with the same problem but can't figure this one out.

 

I am creating some forms where a users can securely submit data to my website.

 

The first form asks the user if data falls in the category of "A" or "B".  When the users clicks submit the data is sent to the process page and added to the database.

 

The data is retrieved using _POST on the process page.  If the data is in category "A" then there is no problem.

 

If the data is in category "B" then the process page asks the user to submit an image.  The _POST variables are then submitted with the image via the new form by making the variables "hidden" in the form.  These hidden elements are then added to the database.

 

The problem starts here.  Data in category "A" comes out fine when retrieved from the database.  Data in category "B" those has been passed TWICE through _POST and if it has any single or double quotes will not display correctly when retrieved from the database.

 

I have tried all combinations of addslashes and stripslashes but nothing has worked.

 

Here is the first form where the users chooses if the data is "A" or "B"

 

<form action='process1.php method='post'>
<table cellpadding='2' cellspacing='1' border='1'>
<tr>
<td><b>Headline:</b></td>
<td><input type='text' name='headline' size='75'></td>
</tr>
<tr>
<td width='200'><b>A or B?:</b></td>
<td><SELECT name='topstory' size='1'>
<OPTION name='A' SELECTED>A</OPTION>
<OPTION name='B'>B</OPTION>
</SELECT></td>
</tr>
<tr><td width='200'><b>Short Description:</b><br>This should be a shortened version of your story.  It can be just the first few sentences of your story.  Make sure it is about 3 sentences long.</td>
<td><textarea rows='5' cols='50' name='shortdesc'></textarea></td>
</tr>
<tr><td><b>Paragraph 1:</b></td>
<td><textarea rows='10' cols='50' name='firstparagraph'></textarea></td>
</tr>
<tr>
<td><b>Paragraph 2:</b><br>Leave blank if not needed.</td>
<td><textarea rows='10' cols='50' name='secondparagraph'></textarea></td>
</tr>
<tr>
<td><b>Paragraph 3:</b><br>Leave blank if not needed.</td>
<td><textarea rows='10' cols='50' name='thirdparagraph'></textarea></td>
</tr>
<tr>
<td colspan='2' align='center'><input type='submit' value='Submit'></td>
</tr>
</form>

 

Here is the process page process.php

 

<?php

$headline=$_POST['headline'];
$shortdesc=$_POST['shortdesc'];
$topstory=$_POST['topstory'];
$firstparagraph=$_POST['firstparagraph'];
$secondparagraph=$_POST['secondparagraph'];
$thirdparagraph=$_POST['thirdparagraph'];

if ($topstory == "B") {

echo "<form enctype='multipart/form-data' action='process2.php' method='POST'>
Please choose a file: <input name='uploaded' type='file' /><br />  <!--Uploads the Image File-->
<input type='submit' value='Upload' />
<input type='hidden' name = 'topstory' value='{$topstory}'>
<input type='hidden' name = 'headline' value='{$headline}'>
<input type='hidden' name = 'shortdesc' value='{$shortdesc}'>
<input type='hidden' name = 'firstparagraph' value='{$firstparagraph}'>
<input type='hidden' name = 'secondparagraph' value='{$secondparagraph}'>
<input type='hidden' name = 'thirdparagraph' value='{$thirdparagraph}'>
</form />";

}else{

Connect to the database and do stuff

}

?>

 

Here is the process page process2.php

 

<?php

$headline=$_POST['headline'];
$shortdesc=$_POST['shortdesc'];
$topstory=$_POST['topstory'];
$firstparagraph=$_POST['firstparagraph'];
$secondparagraph=$_POST['secondparagraph'];
$thirdparagraph=$_POST['thirdparagraph'];

Some code that uploads image file.

Connect to database and do stuff.

?>

 

I don't know if this makes sense to you at all.  But basically when I retrieve data from the database if it is of type "B" it is messed up.  If it was supposed to be  (Steve's car is going towards Don's House.)  Then it will display as (Steve')  with the single quote.

 

I've tried playing around with addslashes() and stripslashes() in different areas of the code but have had no luck.

 

Any suggestions?

[phpQuestioner]

use a mysql_real_escape_string()

 

http://us3.php.net/mysql_real_escape_string

[fuzzyweasel]

Where do you think i should add mysql_real_escape_string()?

 

 

[phpQuestioner]

I see what your problem is:

 

try it like this:

 

<?php

$headline=$_POST["headline"];
$shortdesc=$_POST["shortdesc"];
$topstory=$_POST["topstory"];
$firstparagraph=$_POST["firstparagraph"];
$secondparagraph=$_POST["secondparagraph"];
$thirdparagraph=$_POST["thirdparagraph"];

if ($topstory == "B") {

echo "<form enctype="multipart/form-data" action="process2.php" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />  <!--Uploads the Image File-->
<input type="submit" value="Upload" />
<input type="hidden" name = "topstory" value="{$topstory}">
<input type="hidden" name = "headline" value="{$headline}">
<input type="hidden" name = "shortdesc" value="{$shortdesc}">
<input type="hidden" name = "firstparagraph" value="{$firstparagraph}">
<input type="hidden" name = "secondparagraph" value="{$secondparagraph}">
<input type="hidden" name = "thirdparagraph" value="{$thirdparagraph}">
</form />";

}else{

Connect to the database and do stuff

}

?>

 

also you should be using mysql_real_escape_string() in your database query if your letting people submit content other then plain text characters to your database; for security reasons.

[fuzzyweasel]

Thanks for you help so far...

 

I tried making things double quotes where possible as noted in your reply.

 

The strings have escaped characters after they go through the first process.php but they get lost somewhere in the second process2.php.

 

If I entered (Steve's a cool Guy) it first turns to (Steve\'s a cool Guy) then  (Steve\\)

 

As for the security I will be addressing that before we launch the code.

[phpQuestioner]

do you have your process php files doing this?

 

<?php

$topstory = stripslashes($_POST["topstory"]);

?>

[fuzzyweasel]

Ok,

 

So I do that on process.php only and get (Steve\\)

 

Do it on process.php and process2.php and get (Steve\\)

 

Do it on both and I get (Parse error: syntax error, unexpected T_STRING)

 

On process2.php I am writing to a file like so:

 

$myFile = "st/{$date}{$number}.php";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = "<?php 
\$firstparagraphwr = \"$firstparagraph\";
\$secondparagraphwr = \"$secondparagraph\";
\$thirdparagraphwr = \"$thirdparagraph\";
\$headlinewr = \"$headline\";
\$topstory = \"$topstory\";
require('template.php');
?>";

 

This creates a page and adds the strings to it.  When I visit the created page is where I see (Steve) that has been transformed from (Steve's a cool guy) to (Steve\\) to (Steve)

[phpQuestioner]

ok - try this and see what you get - just create a demo page and try this on it; you should be able to do your process.php and process2.php scripts the same way.

 

<?php

$topstory = stripslashes($_POST['topstory']);

echo "$topstory";

echo "<br><br>";


?>

<form method="post">

<input type="text" name="topstory" value="Steve's a cool guy">
<input type="submit">

</form>

[fuzzyweasel]

I take it you are thinking I should combine the two forms into one?

 

I will try this tomorrow and see what happens.

[phpQuestioner]

you do not have to combine the two forms into one; if you choose not to; but to unescape the single and double quote in your text field variable (ie "$topstory") you will have to do like the demo script above I provided you; no matter if your using two forms or just one. if you'll try out the demo script I provided you; you will see exactly what I am talking about is what you are wanting to do.