Apostophes in PHP generated form

Hi

I have a problem with the old chestnut of apostrophes in forms. I know the answer lies in the addslahes/ stripslashes/ htmlspecialcharacters/ html entities functions.

My form gathers surnames, such as O'Connor. Before I pass them to an sql to add to a MSSQL database, I run them through a function to clean them up:

function test($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = str_replace('&', '&', $data);
  $data = rtrim(ltrim($data));
  return $data;

The data is stored in the database correctly

I retrieve the data and display it in a form text field:
<input type='text' name='surname' value='".$row['surname']."' id='surname'/>

Only the "O" is displayed, the ' is being confused with the php ' in the ."'

Using Chrome Inspector, I can see that the data is being parsed as
<input type="text" name="surname" value="O\" byrne'="" id="surname">
and the view-source gives:
<input type='text' name='surname' value='O\'Byrne' id='surname'/>

Please can someone let me know the proper course of action that I need to take to get the text to display properly in the form field.

Thank you
rwlloyd71Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ray PaseurConnect With a Mentor Commented:
What DB driver are you using?

PHP has a long and painful history with quote marks.  First there was the magic quotes / addslashes mess.  Then (of course) technology moved ahead, and we all discovered that the MSSQL drivers were not very good.

The theory that works correctly in MySQL (and I would hope works correctly in MSSQL) goes something like this...

1. When you receive any external input, store it exactly as received in your database.  All that clean-up stuff just mungs the data, so don't do that.  In the MySQLi extension we use an escape function to mark the quotes and other special characters as data without semantic meaning, but this escape sequence is only for communication with the DB engine, and the escape characters are not kept in the database.

2. When you get the data out of the database and want to display it in a browser viewport, use HTMLSpecialChars() to convert the special characters into display entities.

That's it.  If you do those things, it will always work correctly.   Browser displays will look right.  Form input will be correct.  The database will work as needed.

Further to how quotes and apostrophes are used in PHP:
https://www.experts-exchange.com/articles/12241/Quotation-Marks-in-PHP.html

Best of luck with your project, ~Ray
0
 
Julian HansenCommented:
Why are you not using double quotes for the attributes - as is the standard?
0
 
rwlloyd71Author Commented:
Hi.

Thanks for your reply.

The page/form is written is generated dynamically in php, as below:

If ($var=='1'){
echo "<input type='text' name='surname' value='".$row['']."' />";
}

Therefore I need the combination on single and double quotes to stay as they are.

If only it was that easy! To switch the double and single quotes round would mess up my entire coding structure.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Julian HansenConnect With a Mentor Commented:
Rather use HEREDOC for your strings it allows you to combine both single and double quotes as well as embed vars

If ($var=='1'){
echo <<< INPUT
  <input type="text" name="surname" value="{$row['surname']}" />
INPUT;
}

Open in new window

Makes all the quotation issues better
1
 
rwlloyd71Author Commented:
Thanks Guys.

I have actually swapped my " and ' within the statement for the time being and it has got me round the problem for now.

I'm going to check out the HERDOC and HTMLSppecialCharacters and work out what is best for me.

PS. I am using SQLSRV drivers on MSSQL
0
All Courses

From novice to tech pro — start learning today.