strip apostrophe ' off a string

Forum Moderators: coopster

Message Too Old, No Replies

strip apostrophe ' off a string

php, syntax

rodriguez1804

10:50 pm on Aug 18, 2009 (gmt 0)

Ok, so I have the following code for displaying a user's profile picture. Thing is, it gets hung up if a user has an ' in their name, such as we' because it messes up the syntax. Here is the code:


if(isset($_GET['username'])){
$authorUsername = $_GET['username']; //DISPLAYS AS: we'
$authorComment = $_GET['comment'];$myProfilePic2 = "<img src='/users/".$authorUsername."/".$authorUsername.".ProfilePic.".$dbConn->getUserPicExtension($authorUsername)."' />";

In the above code, the extra apostrophe (') in we' throws off the whole syntax in $myProfilePic2. The code works on names without apostrophes, but for users whose name contains apostrophes, it all goes downhill.

How do I work around/fix this if I want to retain the original user's name (we') without having to strip off the apostrophe? Thanks

eelixduppy

1:00 am on Aug 19, 2009 (gmt 0)

If you are using MySQL here, you should be prepping the string before you put it in a query. The best method to escape such a string is to use the following:


$authorUsername = [url=http://www.php.net/mysql-real-escape-string]mysql_real_escape_string[/url]($_GET['username']);

Try that and see how it works out for ya. :)

rodriguez1804

1:49 am on Aug 19, 2009 (gmt 0)

Yeah, this strips off the apostrophe, but that's not the real issues though. I am trying to get the script to find the image path. Something like this:

So say the name is we', then the ideal image path would be something like <img scr="/users/we'.jpg. But you see, the apostrophe screws everything up when the script is trying to figure out the path.

Maybe there's something obvious I am missing?

I am currently using mysql_real_escape_string(stripslashes($data)) to prep for DB insertion. If I have a string like we', then we' gets inserted into the DB. Is this wrong?

I tried inserting we\' in DB also, but it was giving me nightmares in getting the correct output, so I reverted to the above.

I though about replacing the apostrophe with nothing, but that would mess up the names: we' -> we. As you can tell, I am a bit confused about this, so please clarify how I should approach this issue.

eelixduppy

3:11 am on Aug 19, 2009 (gmt 0)

First off, I'm not really sure where you problem lies. I understand that you cannot properly create the image path, but there are few things that I am uncertain about. For instance, would I be correct in saying that a file

/users/we'.jpg

exists on the server? If so then I don't see why you would be having any troubles. If not, then that is your answer.

As far as putting characters such as the apostrophe (') in usernames in the first place...well that is something I would tend to avoid. I usually only allow alphanumeric characters and the underscore in my usernames; anything else would be invalid and prompt them to choose a new one. This decision is up to you, but I would seriously consider going that route.

[edited by: eelixduppy at 3:55 am (utc) on Aug. 19, 2009]

rodriguez1804

3:54 am on Aug 19, 2009 (gmt 0)

eelixduppy,

Yes, you're correct in that the images are stored on the server. The problem only comes up when a username has an apostrophe in it.

For this reason, I think I' ll take your advice and avoid apostrophes in usernames all together. Thanks for the help

eelixduppy

4:25 am on Aug 20, 2009 (gmt 0)

The other thing that is of concern is you are storing files with the same name as the username. Just curious, are these files being uploaded by the user in any way? If so, it is generally bad form to keep the same name (or have a predictable naming convention) for file uploads, just in case something slips through the shields they won't actually know where to find the file. Just yet another thing to keep in mind when dealing with security.

In any case, I'm sure you got it all figured out by now. Glad to help. :)