Solved

Apostophes in PHP generated form

Posted on 2016-11-28
6
44 Views
Last Modified: 2016-12-28
Hi

I have a problem with the old chestnut of apostrophes in forms. I know the answer lies in the addslahes/ stripslashes/ htmlspecialcharacters/ html entities functions.

My form gathers surnames, such as O'Connor. Before I pass them to an sql to add to a MSSQL database, I run them through a function to clean them up:

function test($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = str_replace('&', '&', $data);
  $data = rtrim(ltrim($data));
  return $data;

The data is stored in the database correctly

I retrieve the data and display it in a form text field:
<input type='text' name='surname' value='".$row['surname']."' id='surname'/>

Only the "O" is displayed, the ' is being confused with the php ' in the ."'

Using Chrome Inspector, I can see that the data is being parsed as
<input type="text" name="surname" value="O\" byrne'="" id="surname">
and the view-source gives:
<input type='text' name='surname' value='O\'Byrne' id='surname'/>

Please can someone let me know the proper course of action that I need to take to get the text to display properly in the form field.

Thank you
0
Comment
Question by:rwlloyd71
  • 2
  • 2
  • 2
6 Comments
 
LVL 54

Expert Comment

by:Julian Hansen
ID: 41903999
Why are you not using double quotes for the attributes - as is the standard?
0
 

Author Comment

by:rwlloyd71
ID: 41904009
Hi.

Thanks for your reply.

The page/form is written is generated dynamically in php, as below:

If ($var=='1'){
echo "<input type='text' name='surname' value='".$row['']."' />";
}

Therefore I need the combination on single and double quotes to stay as they are.

If only it was that easy! To switch the double and single quotes round would mess up my entire coding structure.
0
 
LVL 54

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 41904027
Rather use HEREDOC for your strings it allows you to combine both single and double quotes as well as embed vars

If ($var=='1'){
echo <<< INPUT
  <input type="text" name="surname" value="{$row['surname']}" />
INPUT;
}

Open in new window

Makes all the quotation issues better
1
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41904064
What DB driver are you using?

PHP has a long and painful history with quote marks.  First there was the magic quotes / addslashes mess.  Then (of course) technology moved ahead, and we all discovered that the MSSQL drivers were not very good.

The theory that works correctly in MySQL (and I would hope works correctly in MSSQL) goes something like this...

1. When you receive any external input, store it exactly as received in your database.  All that clean-up stuff just mungs the data, so don't do that.  In the MySQLi extension we use an escape function to mark the quotes and other special characters as data without semantic meaning, but this escape sequence is only for communication with the DB engine, and the escape characters are not kept in the database.

2. When you get the data out of the database and want to display it in a browser viewport, use HTMLSpecialChars() to convert the special characters into display entities.

That's it.  If you do those things, it will always work correctly.   Browser displays will look right.  Form input will be correct.  The database will work as needed.

Further to how quotes and apostrophes are used in PHP:
https://www.experts-exchange.com/articles/12241/Quotation-Marks-in-PHP.html

Best of luck with your project, ~Ray
0
 

Author Closing Comment

by:rwlloyd71
ID: 41904280
Thanks Guys.

I have actually swapped my " and ' within the statement for the time being and it has got me round the problem for now.

I'm going to check out the HERDOC and HTMLSppecialCharacters and work out what is best for me.

PS. I am using SQLSRV drivers on MSSQL
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 41904299
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Find out what you should include to make the best professional email signature for your organization.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now