See [php.net...]

Like mattx17 pointed out adding slashes will enable you to use " or ' within echo or print statements..

For example

print "Place "this" in quotes";

would cause a parse error.

print "Place \"this\" in quotes";

Place "this" in quotes

Mack.

if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string [php.net]

And if you are having trouble with echo or print to your web form, coming from a DB (like it sounds), if you have <code> in it you will want to print or echo html_entities(); of your string to see them, instead of having them become part of the html on the page.

Justin

I have tried many versions of addslashes and the Magic Quotes... but no luck.

Here are snippets of the code:

if ($id) {

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='$content' WHERE id=$id";

} else {

$sql = "INSERT INTO $table (insert_date, title, topic, aType, keywords, content) VALUES ('$insert_date','$title','$topic','$aType','$keywords','$content')";

}

AND the FORM:

<input name='content' type='hidden' id='textfield' value='<?php echo $content;?>'>

<?php
$KT_display = "Cut,Copy,Paste,Insert Image,Insert Table,Toggle Vis/Invis,Toggle WYSIWYG,Bold,Italic,Underline,Align Left,Align Center,Align Right,Align Justify,Background Color,Foreground Color,Undo,Redo,Bullet List,Numbered List,Indent,Outdent,HR,Font Type,Font Size,Insert Link,Clean Word,Heading List";
showActivex('textfield', 600, 350, false,$KT_display, "../ktmllite/", "", "../../../ktmllite/images/uploads/", "../../../ktmllite/files/uploads/",1, "", -1, "english", "yes", "no");
?>

if you are using mysql you shouldn't use addslashes, you should only ever use mysql_real_escape_string

jk, did that come out of the Security [webmasterworld.com] seminar? I remember reading in the PHP manual pages regarding SQL Injection [php.net] ...

Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_escape_string(), sql_escape_string(), etc.). If a database-specific string escape mechanism is not available, the addslashes() and str_replace() functions may be useful (depending on database type).

What was the reasoning for database-specific escape techniques, do you recall?

I forgot to mention the database accepts the entire article and displays it correctly on the website single quotes and all... however, when retrieving it in a web form to edit is where I have the problems.

So the web form textarea is the problem. But maybe not.

I used addslashes in the SQL Statement but only added slashes to all the double quotes. The rest of the formatting is the same as mentioned in the first post in this thread.

<------- DID NOT WORK

$sql = "UPDATE $table SET insert_date='$insert_date',title='$title',topic='$topic',aType='$aType',keywords='$keywords',content='".addslashes($content)."' WHERE id=$id";

--------->

~Shane

however, when retrieving it in a web form to edit is where I have the problems.

I still think it sounds like information is going on to the page as html code, not as viewable html tags... see html_entities();

Justin

I trid this but did not work:

<input name='content' type='hidden' id='textfield' value='<?php echo htmlentities($content);?>'>

~Shane

Sorry,

It just sounded like it, because that is normally where you get a break that causes content to be displayed as part of the page. If it is truly an ' you normally get a parse error... is there a variable before that could be causing problems?

I went through this for about 2 hours writing my first CMS and finally just changed everything that displays on the web page to htmlentities()... no problems since.

Justin

BTW got a little carried away with the underscores before, don't know what got into me...

Added: could you post the text around where it is breaking with out violating the TOS?

Added Some More: Please, when you do find a solution, post it... I would love to see what is happening here in case I run into it some day & I can't think what it might be if it is not slashes or htmlentities.

>> jk, did that come out of the Security seminar

yes, why? because they are specifically built and tested for those db's and have taken everything into account.

After a lot of experimenting I have solved the problem with single and double quotes.

THE SOLUTION

<input name='content' type='hidden' id='textfield' value="<?php
echo stripslashes(ereg_replace('"','&#34;',$content));
?>">

The stripslashes() allowed for the single quotes to be displayed; however, then I ran into problems with double quotes. So when displaying my rich text editor I replaced the double quotes with its HTML equivalent '&#34;' using ereg_replace().

Voila!

Thanks to everyone for your ideas... Your people rule! AND you jump started my brain. Better than coffee.

~Shane