slashes for strings with single quotes aren't working ??

[atomicrabbit]

Ok, I'm having a problem with a string being passed as a POST variable.

 

I have a php file that generates a list of strings ($largeString) to choose from. It gets the strings/paragraphs from another web page. Here is a basic rundown of what it looks like:

 

echo "<input name='addThis' type='radio' value='" . $name . "'>"
echo $largeString;
echo "<input type='hidden' name='sName' value='" . trim(addslashes($largeString)) . "' >";

 

I added the addslashes function because there are single quotes in the string.

 

Once a selection is made and the submit button is pressed, the values get passed through via POST and another function writes it to my MySQL database.

 

When the value of the hidden sName input gets written, it only gets the string until the first single quote and then it gets cut off. I thought maybe it was the process writing it to the database but it seems like the value doesn't get passed through POST properly. I thought that that's what the addslashes function was for, but maybe I'm doing something wrong. Before it gets written to the database, I had the POST value echoed to the screen like so:

 

$text = stripslashes($_POST['sName']);
$sMsg = "$text has been added successfully.";
print $sMsg

 

If the value being passed was:

That's all folks

 

it passes and prints

That\

 

 

[xnowandtheworldx]

try using mysql_real_escape_string to add slashes before the single quotes.

[atomicrabbit]

but like I said, it has nothing to do with the mySQL database or writing to it. When passing the value through POST is when the string gets cut off.

[atomicrabbit]

anyone?

[xnowandtheworldx]

Ah, sorry I didn't see that part, but you could still use the mysql_real_escape_string I suppose, it still adds the slashes it's just that your not actually putting it in a database somewhere...so still try it and if that doesn't work I really don't know what to tell you. :\

 

EDIT: I was looking at it again..and i'm not really sure what you can do about it why exactly is the reason for you adding the slashes? Is it to protect against SQL injection when your submitting it or what?

[atomicrabbit]

I tried mysql_real_escape_string but I kept getting the following error (which did not show up when using addslashes.

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]:
Access denied for user 'user'@'localhost' (using password: NO)
in /home/user/public_html/file.php on line 217

 

Anyways, the reason I need to use addslashes is because the string I need to pass may contain single quotes, double quotes, etc. and I'm passing the variable through POST using a hidden input as shown in my first post.

echo "<input type='hidden' name='sName' value='" . trim(addslashes($largeString)) . "' >";

 

Unless you have a better way to pass a large string of text through POST, this is the only way I know. Once printed, the above code would look like this in HTML:

<input type='hidden' name='sName' value='That's all folks'>

 

The single quote in That's will close the value= parameter and leave s all folks' out

[atomicrabbit]

anyone?

[marcus]

Use quotes for values. Then apply htmlentities on your variable, this way " will be converted to "

[atomicrabbit]

Ok I will try that, but is this normal? I thought the point of the addslashes function was to add slashes before ' and " so that it wouldn't conflict with actual html tags being printed.

[atomicrabbit]

it didn't work  What is wrong with this?????

[discomatt]

HTML isn't like php, where you can just escape a single quote... at least, not according to W3. Always use double quotes for attributes, and use htmlentities like mgall suggested.

 

<?php

$string = 'Did he say, "Jim?"';

$string = htmlentities($string);
  
echo '<input type="hidden" name="sName" value="'. $string . '" />';

?>