homepage Welcome to WebmasterWorld Guest from 54.211.219.178
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
carrying apostrophe in form
need to keep apostrophe in form result
weddingm




msg:3891808
 3:52 am on Apr 14, 2009 (gmt 0)

Pulling business name from database as Example's Name. I am trying to keep the apostophe all the way through the form process.

Page 1 of the form has:

<input type='hidden' name='bname' value='".$bus."'>

Page 2 of the form has

$businessname=$_POST["bname"];

<?php echo ($businessname) ?>

I cannot echo the apostrophe in Example's Name. I have tried many variations of stripslashes and htmlspecialchars. I still cannot get it to work.

Any help would be appreciated.

Matt

 

jezra




msg:3891829
 5:28 am on Apr 14, 2009 (gmt 0)

htmlentities [php.net] with ENT_QUOTES is what you want.

$businessname = htmlentities($_POST["bname"],ENT_QUOTES);

rocknbil




msg:3892203
 4:53 pm on Apr 14, 2009 (gmt 0)

I *think* htmlentities() will only work for double quotes, a " gets converted to &quot;. I don't know that it applies to a singlequote.

Even if it does, this presents problems when searching. If you were to store data like so

Book title: &quot;The End of the Internet As We know it &quot;

A search for

where title like '%"The End%';

would fail.

If you're working with apostrophied values, you have to decide your method of approach and stick to it. For example,

<input type='hidden' name='bname' value='".$bus."'>

Single quoted values are valid, they're just not "standard." Personally I go the other way around so that my output values are double quoted, and anything in my programming is single quoted:

print '<input type="hidden" name="bname" value="'.$bus.'">';

Now let's talk about inserting "Example's Name" into your database.

$bus ='Example\'s Name';

This won't work because mySQL obviously thinks the value ends before the "s"

insert into table (title) values ('$bus');

So my solution is a single substitution for single quotes. Just the single quote. This limits the amount of "treatment" my insert statements require:

foreach ($_POST ad $key=>$value) {
$value = preg_replace("/'+/","''",$value);
insert into table (field) values ('$value');
}

This gives you

insert into table (field) values ('Example''s Title');

Which should properly store "Example's Title" in your table.

On extraction, if you double-quote your form values, you should get this

<input type="hidden" name="bname" value="Example's Title">

If you like working the other way, reverse the idea, but as mentioned, this can get you into troubles with double-quoted values, which should be html entites: &quot;.

eelixduppy




msg:3892219
 5:02 pm on Apr 14, 2009 (gmt 0)


I *think* htmlentities() will only work for double quotes, a " gets converted to &quot;. I don't know that it applies to a single quote.

Actually it will apply for the single quote, as well. Should replace it with the entity &#039;.

As for adding text into a database with characters such as the single quote ('), a simple escaping should be more than enough to have it store properly. But this is a bit off topic, here.

The bottom line is you need to convert to entities or you have to have properly formed quotes surrounding text in a tag's attribute.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved