homepage Welcome to WebmasterWorld Guest from 54.163.89.8
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP problem entering apostrophe's --> ' <--
Everything to the right of ' disappears.
alcheme

10+ Year Member



 
Msg#: 9262 posted 10:15 pm on Jul 20, 2005 (gmt 0)

Hello,

When updating my database... anything with ' (apostrophe) has problems.

Essentially everything to the right on the same line disappears and everything below appears outside and above the textarea when I am modifying a database entry using a web form, which makes everything below the line with the ' (apostrophe) un-editable.

Can anyone suggest a solution for allowing ' (apostrophe's)?

~Shane

 

mattx17

10+ Year Member



 
Msg#: 9262 posted 10:17 pm on Jul 20, 2005 (gmt 0)

See [php.net...]

mack

WebmasterWorld Administrator mack us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 9262 posted 10:21 pm on Jul 20, 2005 (gmt 0)

Like mattx17 pointed out adding slashes will enable you to use " or ' within echo or print statements..

For example

print "Place "this" in quotes";

would cause a parse error.

print "Place \"this\" in quotes";

Place "this" in quotes

Mack.

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 9262 posted 10:23 pm on Jul 20, 2005 (gmt 0)

if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string [php.net]

jd01

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 9262 posted 10:28 pm on Jul 20, 2005 (gmt 0)

And if you are having trouble with echo or print to your web form, coming from a DB (like it sounds), if you have <code> in it you will want to print or echo html_entities(); of your string to see them, instead of having them become part of the html on the page.

Justin

alcheme

10+ Year Member



 
Msg#: 9262 posted 10:53 pm on Jul 20, 2005 (gmt 0)

I have tried many versions of addslashes and the Magic Quotes... but no luck.

Here are snippets of the code:

if ($id) {

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='$content' WHERE id=$id";

} else {

$sql = "INSERT INTO $table (insert_date, title, topic, aType, keywords, content) VALUES ('$insert_date','$title','$topic','$aType','$keywords','$content')";

}

AND the FORM:

<input name='content' type='hidden' id='textfield' value='<?php echo $content;?>'>

<?php
$KT_display = "Cut,Copy,Paste,Insert Image,Insert Table,Toggle Vis/Invis,Toggle WYSIWYG,Bold,Italic,Underline,Align Left,Align Center,Align Right,Align Justify,Background Color,Foreground Color,Undo,Redo,Bullet List,Numbered List,Indent,Outdent,HR,Font Type,Font Size,Insert Link,Clean Word,Heading List";
showActivex('textfield', 600, 350, false,$KT_display, "../ktmllite/", "", "../../../ktmllite/images/uploads/", "../../../ktmllite/files/uploads/",1, "", -1, "english", "yes", "no");
?>

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 9262 posted 10:56 pm on Jul 20, 2005 (gmt 0)


if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string

jk, did that come out of the Security [webmasterworld.com] seminar? I remember reading in the PHP manual pages regarding SQL Injection [php.net] ...


Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_escape_string(), sql_escape_string(), etc.). If a database-specific string escape mechanism is not available, the addslashes() and str_replace() functions may be useful (depending on database type).

What was the reasoning for database-specific escape techniques, do you recall?

alcheme

10+ Year Member



 
Msg#: 9262 posted 11:06 pm on Jul 20, 2005 (gmt 0)

I forgot to mention the database accepts the entire article and displays it correctly on the website single quotes and all... however, when retrieving it in a web form to edit is where I have the problems.

So the web form textarea is the problem. But maybe not.

I used addslashes in the SQL Statement but only added slashes to all the double quotes. The rest of the formatting is the same as mentioned in the first post in this thread.

<------- DID NOT WORK

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='".addslashes($content)."' WHERE id=$id";

--------->

~Shane

jd01

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 9262 posted 11:18 pm on Jul 20, 2005 (gmt 0)

however, when retrieving it in a web form to edit is where I have the problems.

I still think it sounds like information is going on to the page as html code, not as viewable html tags... see html_entities();

Justin

alcheme

10+ Year Member



 
Msg#: 9262 posted 11:34 pm on Jul 20, 2005 (gmt 0)

I trid this but did not work:

<input name='content' type='hidden' id='textfield' value='<?php echo htmlentities($content);?>'>

~Shane

jd01

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 9262 posted 11:43 pm on Jul 20, 2005 (gmt 0)

Sorry,

It just sounded like it, because that is normally where you get a break that causes content to be displayed as part of the page. If it is truly an ' you normally get a parse error... is there a variable before that could be causing problems?

I went through this for about 2 hours writing my first CMS and finally just changed everything that displays on the web page to htmlentities()... no problems since.

Justin

BTW got a little carried away with the underscores before, don't know what got into me...

Added: could you post the text around where it is breaking with out violating the TOS?

Added Some More: Please, when you do find a solution, post it... I would love to see what is happening here in case I run into it some day & I can't think what it might be if it is not slashes or htmlentities.

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 9262 posted 11:57 pm on Jul 20, 2005 (gmt 0)

>> jk, did that come out of the Security seminar

yes, why? because they are specifically built and tested for those db's and have taken everything into account.

alcheme

10+ Year Member



 
Msg#: 9262 posted 7:54 pm on Jul 21, 2005 (gmt 0)

After a lot of experimenting I have solved the problem with single and double quotes.

THE SOLUTION

<input name='content' type='hidden' id='textfield' value="<?php
echo stripslashes(ereg_replace('"','&#34;',$content));
?>">

The stripslashes() allowed for the single quotes to be displayed; however, then I ran into problems with double quotes. So when displaying my rich text editor I replaced the double quotes with its HTML equivalent '&#34;' using ereg_replace().

Voila!

Thanks to everyone for your ideas... Your people rule! AND you jump started my brain. Better than coffee.

~Shane

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved