dealing with apostrophes when inserting and reading from a postgreSQL database


I am using this code:

echo "<input type='text' name='passwordquestion' value='".htmlspecialchars(stripslashes(trim($row['passwordquestion'])))."' size='50'>";

when displaying a field from a database which may include an apostrophe within the text.  If the text is "Mother's maiden name" then it is only showing the word Mother in the box displayed on screen, but if you view the source of the page, the value of the field is the full text.

When I am adding the value into the database, I am using this code around the data:

$mypwdQn = $_POST['passwordquestion'];
$mypwdQn = addslashes($mypwdQn);

The data is added fine into the database.

Can someone please help me to get the data to display correctly in the input box?

Thanks heaps,
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Cornelia YoderConnect With a Mentor ArtistCommented:
You should use htmlspecialchars( ), or better yet htmlentities( ) because it handles quotes better, on ALL input before it goes into the database.  This function replaces all special characters with their &nn html code equivalents, so be sure to allow extra room in the field lengths in the database for it (if they are not TEXT fields).

Once you have done this, you can retrieve the info from the database and display it directly without any further manipulation (as ner0187 said).
That's the stripslashes function

$str = "Is your name O\'reilly?";

// Outputs: Is your name O'reilly?
echo stripslashes($str);
hmaloneyAuthor Commented:
Thanks koolie, I'm using that functionality already as per my code, but it is not working.
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

My mistake...What you could try doing is stripping the slashes before the data is inserted into the db rather than running all of the function commands from the input box.
ner0187Connect With a Mentor Commented:
Try getting rid of the htmlspecialchars() function when you're pulling it back from the database.

If you want to use this function, you should really execute it before inserting to the db.

Not sure if this will help, but it would be a better way of doing it, e.g. if you wanted to use the data somewhere else, to save on code etc.

All the best
hmaloneyAuthor Commented:

I am now saving the text to the database field using the htmlentities( ) function, and it is putting a \ in front of the apostrophe.

Then, when I display the contents of that database field in a webpage it all turns out nicely.  However, when I display the text inside the value attribute of an input field, the text stops just before the apostrophe.  I tried it with and without htmlentities() around the value.

I'd appreciate your further help!

Thank you.
Cornelia YoderArtistCommented:
Where is the backslash coming from?  htmlentities doesn't put it in.
hmaloneyAuthor Commented:
ah!  I just discovered that the code I am using to do the SQL update is putting the apostrophe in itself....


so, if I have this text in my database "xyz\'xyz" and I want it to appear inside a value attribute like this:
<input type='text' name='myfield' value='xyz'xyz' > 

I've just worked out a way around this.... instead of putting all of the above in a echo statement, I am breaking out of the PHP code for all the HTML text, and just using PHP to print the value in between " "

Thanks for all your help.
All Courses

From novice to tech pro — start learning today.