homepage Welcome to WebmasterWorld Guest from 54.197.211.197
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
how to not display the \ before ' in a $var
when echoing $var on next page
jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 6:09 pm on May 1, 2003 (gmt 0)

i have passed a variable via a <select> menu through a form to the next page where it is displayed:

echo "<p>You searched for: ".$var."<br>\n";

One of the possible $vars in the form includes a single quote e.g. D'en Something.

when i echo this on to the next page it comes out like

You searched for: D\'en Something

with a backslash.

i have tried using all sorts of html special codes to replace the ' in the <option> tag, but i can't get it to go away.

* i use $var = @$_REQUEST['a'] ; to get the variable
* magic_quotes are on

thanks for help

 

RawAlex

10+ Year Member



 
Msg#: 290 posted 6:13 pm on May 1, 2003 (gmt 0)

If it was in php, you would do:

string stripslashes ( string str)

Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes are made into a single backslash.

CGI is a mystery to me... but you might want to search google for cgi remove slashes or cgi strip slashes...

Alex

RawAlex

10+ Year Member



 
Msg#: 290 posted 6:14 pm on May 1, 2003 (gmt 0)

In perl, one option is:

$line =~ y/[,'"()<>]//d;

will strip out these unwanted characters from your line

Alex

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 6:21 pm on May 1, 2003 (gmt 0)

hi rawalex,

it was php

and stripslashes works perfectly - doh!

wow, i am constantly amazed by these forums and the willingness to help, that took about 5 minutes to get an answer.

many thanks!

daisho

10+ Year Member



 
Msg#: 290 posted 12:24 am on May 2, 2003 (gmt 0)

In PHP this is related to the Magic Quotes option. The stipslashes function (as mentioned above) will fix it. In general I always turn Magic Quotes off in php.ini since it's more problems then it's worth (for me anyway).

daisho.

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 7:49 am on May 2, 2003 (gmt 0)

daisho,

this will be my first foray into programming, and now that the script works, i spent most of yesterday looking at possible security issues - mostly to do with checking variable types and / or content using istype and eregi, etc.

is the use of magic quotes also a possible hole?

and something that has been puzzling me is:

i update the database using a textarea and input fields. some of the text is in foreign language with accents and all - and yet php or mysql automatically converts these to their html special codes - is this an automatic feature? is this something to do with magic_quotes?

at the moment i do not use htmlspecialchars anywhere in my script, either for inserting or displaying data?

sorry for convoluted question ;-)

grahamstewart

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 9:30 am on May 2, 2003 (gmt 0)

Magic quotes shouldn't be a hole - but it can be a right pain as you have to have stripslashes every where - plus its not actually ANSI Sql ('which just repeats it''s single quotes instead').

I usually turn it off too. I use htmlentities($str,ENT_QUOTES) instead.

If you are worried about security then you should also consider turning off register_globals (which judging by your code is currently on). It can be a major security hole and most php hosts now turn it off by default.

You would then access the variable from your input by using either $_GET['var'] or $_POST['var'] as appropriate.

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 11:30 am on May 2, 2003 (gmt 0)

hi graham

(not just a dab hand at css i see :-)

i have register_globals off - that was one of first things i checked after yesterdays' security investigations.

i'll have a look at turning off magic quotes too, as i can imagine in the future it might be more appropriate.

cheers

p.s. any idea how mysql or php automatically converts to &eacute; when reading out data from db? it is a fantastic function but have never read about it anywhere and have done nothing conciously to enable it. just curious.

daisho

10+ Year Member



 
Msg#: 290 posted 1:00 pm on May 2, 2003 (gmt 0)

Sorry I don't have much experiance with forgein language chars. Though I have never had anything change "&" to "&amp;" unless I did a url_encode or something like that.

daisho.

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 290 posted 1:35 pm on May 2, 2003 (gmt 0)

i have just turned off magic quotes and am now using htmlentities() which encodes everything very nicely!

thanks all for help

daisho

10+ Year Member



 
Msg#: 290 posted 1:49 pm on May 2, 2003 (gmt 0)

Good to hear.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved