Double quotes vanish from html forms
I have a basic form, user can input a text field.
Form data is sent to a page that checks all data is as should be (only checks for no blank fields and strlen), if all ok data is stored in the DB with mysql_real_escape_string.
Lets take it there are no errors from my checks...
First issue...
If I enter into the text field
hello "world"
It is stored in the db exactly as that. Shouldn't mysql_escape put a slash in front of each ", so it would be stored in the db as :
hello /"world/"
Second Issue....
This data can be edited by the same type of form, the data in db is echoed out into a form text input.
Simple enough can just edit the text and submit.
The above data hello "world" is in the db eactly as that, but is echoed in the form text field as this:
hello
No quotes and the word in the quotes also gone (the space is still present after the first word).
The server has magic quotes on, but I have turned it off with a local php.ini (this is tested and (seemingly) works fine)
Can anyone please shed some light on this strange phenonamon?
Cheers
pr0gr4mm3r posted this at 13:07 — 5th October 2008.
He has: 1,502 posts
Joined: Sep 2006
Nope, the backslash is in the query (you can verify by temporarily echoing it to the browser), and it tells MySQL to treat the quotes as a part of a string, and not a string terminator. There is no need to store that in the database.
Using htmlspecialchars() when you are displaying output from the database will solve that problem. Your HTML probably looked something like this:
<input type="text" name="some_input" value="hello "world""Your browser takes the first quote before 'world' as the end quote of the string. By using htmlspecialchars(), it will look like this, and display correctly:
<input type="text" name="some_input" value="hello "world"">Hope this helps.
greg posted this at 14:08 — 5th October 2008.
He has: 1,581 posts
Joined: Nov 2005
yeees. and I had this discussion a while back in this forum...I remember now.
Your HTML probably looked something like this:
<input type="text" name="some_input" value="hello "world""Your browser takes the first quote before 'world' as the end quote of the string.
It's in php, so this is what it actually is
<?phpecho '<td><input type="text" name="songname['.$song_id.']" maxlength="70" size="70" value="'.$song_name.'"></td>';
?>
So you are correct (again
)
Something so simple.. I was ready to go find the the server and strip out its hard drive, and it was basic html knowledge.
Cheers programmer
decibel.places posted this at 14:36 — 5th October 2008.
He has: 1,494 posts
Joined: Jun 2008
hello /"world/"
just a minor correction/comment:
the example incorrectly uses forward slashes to escape, instead of backslashes. It should be:
"hello \"world\""While pr0gr4mm3r has explained how to deal with quotes and special characters in PHP, you need to pay close attention to escaped characters working with form input using JavaScript.
greg posted this at 17:09 — 5th October 2008.
He has: 1,581 posts
Joined: Nov 2005
Yeah thanks for the correction. It was a quickly typed question.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.