?
Solved

Stripslashes Syntax

Posted on 2006-04-13
14
Medium Priority
?
560 Views
Last Modified: 2013-12-12
I need some help with my script ...

I populate the list box with content from a database:
___________________________________________
<?php
$link = mysql_connect("", "", "") OR DIE("Unable to connect to the database");
mysql_select_db("");

$sqlc = "SELECT coname FROM master,sales WHERE sales.hhid = master.hhid ORDER BY coname";
$rsc  = mysql_query($sqlc) or die(mysql_error());
echo "<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>";
    while ($rowc  =  mysql_fetch_array($rsc)) {
       print "<OPTION value='".$rowc[coname]."'>".$rowc[coname]."</OPTION>";

  }
   mysql_close($link);
print "</SELECT>";
 
?>
_________________________


If  ---> <OPTION value='".$rowc[coname]  has an apostrophe in the record (ie: Larry's Barber Shop)  , it won't display the record when the user clicks submit. Is there a way to apply stripslashes to this? Is there any solution at all?

Thanks
0
Comment
Question by:lvollmer
  • 5
  • 5
  • 2
  • +1
14 Comments
 
LVL 9

Expert Comment

by:waygood
ID: 16446131
Use htmlentites

print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";
0
 
LVL 9

Expert Comment

by:waygood
ID: 16446178
BUT I'd change it slightly

<?php
$link = mysql_connect("", "", "") OR DIE("Unable to connect to the database");
mysql_select_db("");

$sqlc = "SELECT index, coname FROM master,sales WHERE sales.hhid = master.hhid ORDER BY coname";
$rsc  = mysql_query($sqlc) or die(mysql_error());
echo "<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>";
    while ($rowc  =  mysql_fetch_assoc($rsc)) {
       print "<OPTION value='".$rowc['index']."'>".htmlentites(stripslashes($rowc['coname']))."</OPTION>";

  }
   mysql_close($link);
print "</SELECT>";
 
?>

so when you submit you pass the index to the row, making it easier to search for, because what if there were two entries with the same coname??

(change index to the index name of the table you will get the record from later)
0
 

Author Comment

by:lvollmer
ID: 16446300
waygood

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'index, coname FROM master,sales WHERE sales.hhid = master.hhid


That is the error I get when I use that code
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:lvollmer
ID: 16446355
Also, if I use:Use htmlentites

print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";

I do not get any values at all in the list box
0
 
LVL 9

Expert Comment

by:waygood
ID: 16446380
This is what I use. The QUERY selects the index then the display value, as they referenced as field0 and field1, there is no need to worry about the actual name of the fields.

<select name="stage_id">
  <?php echo drop_down_box_options("SELECT stage_id, description FROM arm_product_stages ORDER BY display_order","","All Stages","1,2,3,4");  ?>
</select>

<?php

function drop_down_box_options($sql,$default="",$all=null,$all_value=0)
{
      $output="";
      if(isset($all))
      {
            $output.= '<option ';
            $output.= 'value="'.htmlentities($all_value).'"';
            if ($default==$all_value)
            {
                  $output.= ' selected="selected"';
            }
            $output.= '>' . htmlentities($all);
            $output.= '</option>';
            $output.= "\n";
      }
      
      $connection = mysql_connect($location, $user, $password ) or die ("Couldn't connect to database");
      $db = mysql_select_db($db_name, $connection) or die ("Couldn't select database");
      $result=mysql_query($sql, $connection) or die ("Couldn't execute query");

      while($row=mysql_fetch_row($result))
      {
            $output.= '<option value="';
            $output.= htmlentities(stripslashes($row[0]));
            if ($default==$row[0])
            {
                  $output.= '" selected="selected"';
            }
            $output.= '">';
            $output.= htmlentities(stripslashes($row[1]));
            $output.= '</option>';
            $output.= "\n";
      }
      return $output;
}

?>
0
 
LVL 9

Expert Comment

by:waygood
ID: 16446414
***(change index to the index name of the table you will get the record from later)

and change the database connection variables above to your settings.
0
 

Author Comment

by:lvollmer
ID: 16446561
print "<OPTION value='".htmlentites($rowc[coname])."'>".htmlentites($rowc[coname])."</OPTION>";


this will display options now, there, was just a typo with htmetities ...

However I do not think that this is the problem anymore... I might have to apply stripslashes to the page that the list box posts to.

$region = $_REQUEST['region'];   <--- This is on the page that coname posts to ... when I echo the value for this , it echoes "Bell" ... It is supposed to echo "Bell's Company" .... Any idea what I can do?
0
 
LVL 9

Expert Comment

by:waygood
ID: 16446747
How about this:-

At the start of each processing script that accepts the posted forms, I have this
$posted_data=$_POST;
array_walk($posted_data, "process_post");

// This is the function that removes the slashes (if necessary) and trims the entries.
function process_post(&$data)
{
      if(is_scalar($data))
      {
            if(get_magic_quotes_gpc())
            {
                  $data=stripslashes($data);
            }
            $data=trim($data);
      }
}
0
 

Author Comment

by:lvollmer
ID: 16446837
Warning: array_walk(): The argument should be an array in /mnt/drbd/home/url/url.com/www/regionlist7.php on line 4


Code:
<?
$region = $_REQUEST['region'];
//$posted_data=$_POST;
array_walk($region, "process_post");

// This is the function that removes the slashes (if necessary) and trims the entries.
function process_post(&$region)
{
     if(is_scalar($region))
     {
          if(get_magic_quotes_gpc())
          {
               $data=stripslashes($region);
          }
          $data=trim($data);
     }
} ?>
0
 
LVL 11

Expert Comment

by:star_trek
ID: 16446950
use array_walk as
array_walk($_REQUEST,"process_post");
0
 

Author Comment

by:lvollmer
ID: 16447012
still cuts off at the apostrophe -

when I echo $region I get "RESNICK" ... I should get "RESNICK'S MATTRESS"

when I echo $data I get nothing.
0
 
LVL 20

Expert Comment

by:Muhammad Wasif
ID: 16449443
use this to display region
echo htmlentities($region, ENT_QUOTES);

http://www.php.net/htmlentities
0
 
LVL 11

Expert Comment

by:star_trek
ID: 16449577
in the HTML use
change the following
print "<OPTION value='".$rowc[coname]."'>".$rowc[coname]."</OPTION>";

to
print "<OPTION value='".htmlentities($rowc[coname])."'>".$rowc[coname]."</OPTION>";

when the user clicks submit use the following in next page

$val = html_entity_decode($_POST['region');

//$val can be matched to the one in database
0
 
LVL 20

Accepted Solution

by:
Muhammad Wasif earned 2000 total points
ID: 16451530
note the difference of ENT_QUOTES, using htmlentities($data, ENT_QUOTES) converts
' => &#039;
" => &quot;

print '<OPTION value="'.htmlentities($rowc["coname"], ENT_QUOTES).'">'.$rowc["coname"].'</OPTION>';

this will print RESNICK'S MATTRESS and I NEED "THIS" VALUE as

<SELECT size ='18' width ='300' name='region' style='font-family: Verdana;width:350px;color: #FF6600; font-size: 10px; border: 1px solid #000000'>
<OPTION value="RESNICK&#039;S MATTRESS">RESNICK'S MATTRESS</OPTION>
<OPTION value="I NEED &quot;THIS&quot VALUE">I NEED "THIS" VALUE</OPTION>
</SELECT>

on the next page when you echo
echo $_POST["region"];

If magic quotes are enables, you will get the value (depending on your selection)

RESNICK\'S MATTRESS
or
I NEED \"THIS\" VALUE

you can use this value safely in sql queries.

If you want to print this value in plain html use stripslashes()
echo stripslashes($_POST["region"]);

If you want to use $_POST["region"] value in text box use the htmlentities() like

echo '<input type="text" name="myvalue" value="'.htmlentities(stripslashes($_POST("region")), ENT_QUOTES).'"'>';

if you closely look at this, you can see i have used single quote around the whole expression and double quote around the value.. this will generate

<input type="text" name="myvalue" value="RESNICK&#039;S MATTRESS">
<input type="text" name="myvalue" value="I NEED &quot;THIS&quot VALUE">


I think you are facing this problem
if you change double quote to single quote around value, you will get something like this
<input type="text" name="myvalue" value='RESNICK'S MATTRESS'>
but will break on first apostrophe and will print RESNICK

If you view html source of your page, you will come to know this.

Hope this will help you.

Muhammad Wasif
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
This holiday season, we’re giving away the gift of knowledge—tech knowledge, that is. Keep reading to see what hacks, tips, and trends we have wrapped and waiting for you under the tree.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question