quote problems in PHP
hi all, i've been having a problem with quotes and hyphens with my php for a while.
while i know understand the basics and get submit and extract text with these froma database my particular question is more complicated so i decided to strip down my code and post it so explain why its a problem and hopefully someone can help
essentially user posts something via form, this is then previewed and the addde to db. its not submited directly. so my code works fine when no quotes are used. but put one in and you have a problem.
i've tried stripslashes and many other functions but none work for this. i've tried different ways of doing it with no luck. i really need help
<?php
@$form_element = addslashes($_POST['element']);
// prepare the form
$form1 = "<form action='preview.php?stage=preview' method='post'>
<table width='100%' border='1' cellspacing='0' cellpadding='5'>
<tr>
<td>Your Comment:</td>
<td><input name='element' type='text' value='$form_element'></td>
<td><input type='submit' value='Submit Entry' class='button'></td>
</tr>
</table>
</form>";
// display form if first time on page
if ($_GET['stage'] == "start")
{
echo $form1;
}
// display preview on submit
if (@$_GET['stage'] == "preview")
{
echo "Preview Form:<br><br>";
echo " <table width='100%' border='1' cellspacing='0' cellpadding='5'>
<tr>
<td>$form_element</td>
</tr>
</table>";
echo "<form action='preview.php?stage=end' method='post'>
<input type='hidden' name='element' value='$form_element'>
<input type='submit' value='Add Entry'>
</form>";
}
// display confirmation page and submit to database
if ($_GET['stage'] == "end")
{
$query = "insert into element (element) values ('$form_element')";
$result = mysql_query($query) or die ("Couldn't execute query.");
echo "Your text has been inserted into the database. <a href='preview.php?stage=show'>View</a>";
}
if ($_GET['stage'] == "show")
{
$query = "select element from element";
$result = mysql_query($query) or die ("Couldn't execute query.");
$row = mysql_fetch_array($result);
$element = stripslashes($row['element']);
echo $element;
}
?>JP
aboyd posted this at 18:55 — 26th April 2005.
They have: 33 posts
Joined: Nov 2004
I hate to point you at a competing forum, but look at the second post here:
http://www.sitepoint.com/forums/showthread.php?t=257556
It has a perfect summary of the code used for each step. In particular, I think you want addslashes, not stripslashes. But review the example at Sitepoint.
-Tony
Busy posted this at 21:46 — 26th April 2005.
He has: 6,151 posts
Joined: May 2001
addslashes into the database
stripslashes from info out of database
You can reverse the quotes in the form variable: $form1 = '
I perfer this method so it can still be validated
JP Stones posted this at 17:47 — 1st May 2005.
They have: 2,390 posts
Joined: Nov 1998
ok more fiddling and I have it working for double quotes but still not for single quotes
its passing the variable through the previw phase that is the problem.
try running the script with a single quot ein it and it displays it fine in preview but cuts it on the hidden field so that it does not go through to the final stage.... ahhhhh
it would be great of someone could take a look for me
<?php
// display form if first time on page
if ($_GET['stage'] == \"start\")
{
echo \"Collect Data:<br>\";
echo \"<form action='preview.php?stage=preview' method='post'>
<input name='form_field' type='text'>
<input type='submit' value='Preview Entry' class='button'>
</form>\";
}
// display preview on submit
if (@$_GET['stage'] == \"preview\")
{
$input_data = $_REQUEST['form_field'];
if(get_magic_quotes_gpc())
{
$input_data = stripslashes($input_data);
}
echo \"Preview Data:<br><br>\";
echo $input_data;
echo \"<br><form action='preview.php?stage=end' method='post'>
<input type='text' name='form_field' value='$input_data'>
<input type='submit' value='Add Entry'>
</form>\";
}
// display confirmation page and submit to database
if ($_GET['stage'] == \"end\")
{
$input_data = $_REQUEST['form_field'];
$input_data = addslashes($input_data);
$query = \"insert into element (element) values ('$input_data')\";
$result = mysql_query($query) or die (\"Couldn't execute query.\");
echo \"Your text has been inserted into the database. <a href='preview.php?stage=show'>View</a>\";
}
if ($_GET['stage'] == \"show\")
{
$query = \"select element from element\";
$result = mysql_query($query) or die (\"Couldn't execute query.\");
$row = mysql_fetch_array($result);
$element = stripslashes($row['element']);
echo $element;
}
?>
JP
Busy posted this at 22:46 — 1st May 2005.
He has: 6,151 posts
Joined: May 2001
you could use htmlspecialchars($var, ENT_QUOTES) or if you want more characters transverted use htmlentities($var, ENT_QUOTES)
this is instead of addslashes and you wont need to use stripslashes as it converts the quotes - " = " ; ' = ' ; etc
JP Stones posted this at 22:20 — 2nd May 2005.
They have: 2,390 posts
Joined: Nov 1998
i cant see where i would put these to make it work Busy?
J
Busy posted this at 22:43 — 2nd May 2005.
He has: 6,151 posts
Joined: May 2001
sorry,
replace addslashes($input_data) with htmlspecialchars($input_data, ENT_QUOTES) or htmlentities($input_data, ENT_QUOTES)
JP Stones posted this at 22:49 — 2nd May 2005.
They have: 2,390 posts
Joined: Nov 1998
thanks, was just gonna write that i'd figured out your last post. is the ENT-Quotes i had not been using as did not undertsand it
grrr
all sorted now at last - thanks
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.