Stripslashes Syntax

I need some help with my script ...

I populate the list box with content from a database:
___________________________________________
<?php
$link = mysql_connect("", "", "") OR DIE("Unable to connect to the database");
mysql_select_db("");

$sqlc = "SELECT coname FROM master,sales WHERE sales.hhid = master.hhid ORDER BY coname";
$rsc  = mysql_query($sqlc) or die(mysql_error());
echo "<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>";
    while ($rowc  =  mysql_fetch_array($rsc)) {
       print "<OPTION value='".$rowc[coname]."'>".$rowc[coname]."</OPTION>";

  }
   mysql_close($link);
print "</SELECT>";
 
?>
_________________________


If  ---> <OPTION value='".$rowc[coname]  has an apostrophe in the record (ie: Larry's Barber Shop)  , it won't display the record when the user clicks submit. Is there a way to apply stripslashes to this? Is there any solution at all?

Thanks
lvollmerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

waygoodCommented:
Use htmlentites

print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";
0
waygoodCommented:
BUT I'd change it slightly

<?php
$link = mysql_connect("", "", "") OR DIE("Unable to connect to the database");
mysql_select_db("");

$sqlc = "SELECT index, coname FROM master,sales WHERE sales.hhid = master.hhid ORDER BY coname";
$rsc  = mysql_query($sqlc) or die(mysql_error());
echo "<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>";
    while ($rowc  =  mysql_fetch_assoc($rsc)) {
       print "<OPTION value='".$rowc['index']."'>".htmlentites(stripslashes($rowc['coname']))."</OPTION>";

  }
   mysql_close($link);
print "</SELECT>";
 
?>

so when you submit you pass the index to the row, making it easier to search for, because what if there were two entries with the same coname??

(change index to the index name of the table you will get the record from later)
0
lvollmerAuthor Commented:
waygood

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'index, coname FROM master,sales WHERE sales.hhid = master.hhid


That is the error I get when I use that code
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

lvollmerAuthor Commented:
Also, if I use:Use htmlentites

print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";

I do not get any values at all in the list box
0
waygoodCommented:
This is what I use. The QUERY selects the index then the display value, as they referenced as field0 and field1, there is no need to worry about the actual name of the fields.

<select name="stage_id">
  <?php echo drop_down_box_options("SELECT stage_id, description FROM arm_product_stages ORDER BY display_order","","All Stages","1,2,3,4");  ?>
</select>

<?php

function drop_down_box_options($sql,$default="",$all=null,$all_value=0)
{
      $output="";
      if(isset($all))
      {
            $output.= '<option ';
            $output.= 'value="'.htmlentities($all_value).'"';
            if ($default==$all_value)
            {
                  $output.= ' selected="selected"';
            }
            $output.= '>' . htmlentities($all);
            $output.= '</option>';
            $output.= "\n";
      }
      
      $connection = mysql_connect($location, $user, $password ) or die ("Couldn't connect to database");
      $db = mysql_select_db($db_name, $connection) or die ("Couldn't select database");
      $result=mysql_query($sql, $connection) or die ("Couldn't execute query");

      while($row=mysql_fetch_row($result))
      {
            $output.= '<option value="';
            $output.= htmlentities(stripslashes($row[0]));
            if ($default==$row[0])
            {
                  $output.= '" selected="selected"';
            }
            $output.= '">';
            $output.= htmlentities(stripslashes($row[1]));
            $output.= '</option>';
            $output.= "\n";
      }
      return $output;
}

?>
0
waygoodCommented:
***(change index to the index name of the table you will get the record from later)

and change the database connection variables above to your settings.
0
lvollmerAuthor Commented:
print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";


this will display options now, there, was just a typo with htmetities ...

However I do not think that this is the problem anymore... I might have to apply stripslashes to the page that the list box posts to.

$region = $_REQUEST['region'];   <--- This is on the page that coname posts to ... when I echo the value for this , it echoes "Bell" ... It is supposed to echo "Bell's Company" .... Any idea what I can do?
0
waygoodCommented:
How about this:-

At the start of each processing script that accepts the posted forms, I have this
$posted_data=$_POST;
array_walk($posted_data, "process_post");

// This is the function that removes the slashes (if necessary) and trims the entries.
function process_post(&$data)
{
      if(is_scalar($data))
      {
            if(get_magic_quotes_gpc())
            {
                  $data=stripslashes($data);
            }
            $data=trim($data);
      }
}
0
lvollmerAuthor Commented:
Warning: array_walk(): The argument should be an array in /mnt/drbd/home/url/url.com/www/regionlist7.php on line 4


Code:
<?
$region = $_REQUEST['region'];
//$posted_data=$_POST;
array_walk($region, "process_post");

// This is the function that removes the slashes (if necessary) and trims the entries.
function process_post(&$region)
{
     if(is_scalar($region))
     {
          if(get_magic_quotes_gpc())
          {
               $data=stripslashes($region);
          }
          $data=trim($data);
     }
} ?>
0
star_trekCommented:
use array_walk as
array_walk($_REQUEST,"process_post");
0
lvollmerAuthor Commented:
still cuts off at the apostrophe -

when I echo $region I get "RESNICK" ... I should get "RESNICK'S MATTRESS"

when I echo $data I get nothing.
0
Muhammad WasifCommented:
use this to display region
echo htmlentities($region, ENT_QUOTES);

http://www.php.net/htmlentities
0
star_trekCommented:
in the HTML use
change the following
print "<OPTION value='".$rowc[coname]."'>".$rowc[coname]."</OPTION>";

to
print "<OPTION value='".htmlentities($rowc[coname])."'>".$rowc[coname]."</OPTION>";

when the user clicks submit use the following in next page

$val = html_entity_decode($_POST['region');

//$val can be matched to the one in database
0
Muhammad WasifCommented:
note the difference of ENT_QUOTES, using htmlentities($data, ENT_QUOTES) converts
' => &#039;
" => &quot;

print '<OPTION value="'.htmlentities($rowc["coname"], ENT_QUOTES).'">'.$rowc["coname"].'</OPTION>';

this will print RESNICK'S MATTRESS and I NEED "THIS" VALUE as

<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>
<OPTION value="RESNICK&#039;S MATTRESS">RESNICK'S MATTRESS</OPTION>
<OPTION value="I NEED &quot;THIS&quot VALUE">I NEED "THIS" VALUE</OPTION>
</SELECT>

on the next page when you echo
echo $_POST["region"];

If magic quotes are enables, you will get the value (depending on your selection)

RESNICK\'S MATTRESS
or
I NEED \"THIS\" VALUE

you can use this value safely in sql queries.

If you want to print this value in plain html use stripslashes()
echo stripslashes($_POST["region"]);

If you want to use $_POST["region"] value in text box use the htmlentities() like

echo '<input type="text" name="myvalue" value="'.htmlentities(stripslashes($_POST("region")), ENT_QUOTES).'"'>';

if you closely look at this, you can see i have used single quote around the whole expression and double quote around the value.. this will generate

<input type="text" name="myvalue" value="RESNICK&#039;S MATTRESS">
<input type="text" name="myvalue" value="I NEED &quot;THIS&quot VALUE">


I think you are facing this problem
if you change double quote to single quote around value, you will get something like this
<input type="text" name="myvalue" value='RESNICK'S MATTRESS'>
but will break on first apostrophe and will print RESNICK

If you view html source of your page, you will come to know this.

Hope this will help you.

Muhammad Wasif
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.