Welcome to WebmasterWorld Guest from 23.22.79.235

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP problem entering apostrophe's --> ' <--

Everything to the right of ' disappears.

   
10:15 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



Hello,

When updating my database... anything with ' (apostrophe) has problems.

Essentially everything to the right on the same line disappears and everything below appears outside and above the textarea when I am modifying a database entry using a web form, which makes everything below the line with the ' (apostrophe) un-editable.

Can anyone suggest a solution for allowing ' (apostrophe's)?

~Shane

10:17 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



See [php.net...]
10:21 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Like mattx17 pointed out adding slashes will enable you to use " or ' within echo or print statements..

For example

print "Place "this" in quotes";

would cause a parse error.

print "Place \"this\" in quotes";

Place "this" in quotes

Mack.

10:23 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string [php.net]
10:28 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And if you are having trouble with echo or print to your web form, coming from a DB (like it sounds), if you have <code> in it you will want to print or echo html_entities(); of your string to see them, instead of having them become part of the html on the page.

Justin

10:53 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



I have tried many versions of addslashes and the Magic Quotes... but no luck.

Here are snippets of the code:

if ($id) {

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='$content' WHERE id=$id";

} else {

$sql = "INSERT INTO $table (insert_date, title, topic, aType, keywords, content) VALUES ('$insert_date','$title','$topic','$aType','$keywords','$content')";

}

AND the FORM:

<input name='content' type='hidden' id='textfield' value='<?php echo $content;?>'>

<?php
$KT_display = "Cut,Copy,Paste,Insert Image,Insert Table,Toggle Vis/Invis,Toggle WYSIWYG,Bold,Italic,Underline,Align Left,Align Center,Align Right,Align Justify,Background Color,Foreground Color,Undo,Redo,Bullet List,Numbered List,Indent,Outdent,HR,Font Type,Font Size,Insert Link,Clean Word,Heading List";
showActivex('textfield', 600, 350, false,$KT_display, "../ktmllite/", "", "../../../ktmllite/images/uploads/", "../../../ktmllite/files/uploads/",1, "", -1, "english", "yes", "no");
?>

10:56 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member




if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string

jk, did that come out of the Security [webmasterworld.com] seminar? I remember reading in the PHP manual pages regarding SQL Injection [php.net] ...


Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_escape_string(), sql_escape_string(), etc.). If a database-specific string escape mechanism is not available, the addslashes() and str_replace() functions may be useful (depending on database type).

What was the reasoning for database-specific escape techniques, do you recall?

11:06 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



I forgot to mention the database accepts the entire article and displays it correctly on the website single quotes and all... however, when retrieving it in a web form to edit is where I have the problems.

So the web form textarea is the problem. But maybe not.

I used addslashes in the SQL Statement but only added slashes to all the double quotes. The rest of the formatting is the same as mentioned in the first post in this thread.

<------- DID NOT WORK

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='".addslashes($content)."' WHERE id=$id";

--------->

~Shane

11:18 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



however, when retrieving it in a web form to edit is where I have the problems.

I still think it sounds like information is going on to the page as html code, not as viewable html tags... see html_entities();

Justin

11:34 pm on Jul 20, 2005 (gmt 0)

10+ Year Member



I trid this but did not work:

<input name='content' type='hidden' id='textfield' value='<?php echo htmlentities($content);?>'>

~Shane

11:43 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Sorry,

It just sounded like it, because that is normally where you get a break that causes content to be displayed as part of the page. If it is truly an ' you normally get a parse error... is there a variable before that could be causing problems?

I went through this for about 2 hours writing my first CMS and finally just changed everything that displays on the web page to htmlentities()... no problems since.

Justin

BTW got a little carried away with the underscores before, don't know what got into me...

Added: could you post the text around where it is breaking with out violating the TOS?

Added Some More: Please, when you do find a solution, post it... I would love to see what is happening here in case I run into it some day & I can't think what it might be if it is not slashes or htmlentities.

11:57 pm on Jul 20, 2005 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>> jk, did that come out of the Security seminar

yes, why? because they are specifically built and tested for those db's and have taken everything into account.

7:54 pm on Jul 21, 2005 (gmt 0)

10+ Year Member



After a lot of experimenting I have solved the problem with single and double quotes.

THE SOLUTION

<input name='content' type='hidden' id='textfield' value="<?php
echo stripslashes(ereg_replace('"','&#34;',$content));
?>">

The stripslashes() allowed for the single quotes to be displayed; however, then I ran into problems with double quotes. So when displaying my rich text editor I replaced the double quotes with its HTML equivalent '&#34;' using ereg_replace().

Voila!

Thanks to everyone for your ideas... Your people rule! AND you jump started my brain. Better than coffee.

~Shane