Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Apostophes in PHP generated form

Posted on 2016-11-28
6
51 Views
Last Modified: 2016-12-28
Hi

I have a problem with the old chestnut of apostrophes in forms. I know the answer lies in the addslahes/ stripslashes/ htmlspecialcharacters/ html entities functions.

My form gathers surnames, such as O'Connor. Before I pass them to an sql to add to a MSSQL database, I run them through a function to clean them up:

function test($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = str_replace('&', '&', $data);
  $data = rtrim(ltrim($data));
  return $data;

The data is stored in the database correctly

I retrieve the data and display it in a form text field:
<input type='text' name='surname' value='".$row['surname']."' id='surname'/>

Only the "O" is displayed, the ' is being confused with the php ' in the ."'

Using Chrome Inspector, I can see that the data is being parsed as
<input type="text" name="surname" value="O\" byrne'="" id="surname">
and the view-source gives:
<input type='text' name='surname' value='O\'Byrne' id='surname'/>

Please can someone let me know the proper course of action that I need to take to get the text to display properly in the form field.

Thank you
0
Comment
Question by:rwlloyd71
  • 2
  • 2
  • 2
6 Comments
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 41903999
Why are you not using double quotes for the attributes - as is the standard?
0
 

Author Comment

by:rwlloyd71
ID: 41904009
Hi.

Thanks for your reply.

The page/form is written is generated dynamically in php, as below:

If ($var=='1'){
echo "<input type='text' name='surname' value='".$row['']."' />";
}

Therefore I need the combination on single and double quotes to stay as they are.

If only it was that easy! To switch the double and single quotes round would mess up my entire coding structure.
0
 
LVL 55

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 41904027
Rather use HEREDOC for your strings it allows you to combine both single and double quotes as well as embed vars

If ($var=='1'){
echo <<< INPUT
  <input type="text" name="surname" value="{$row['surname']}" />
INPUT;
}

Open in new window

Makes all the quotation issues better
1
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41904064
What DB driver are you using?

PHP has a long and painful history with quote marks.  First there was the magic quotes / addslashes mess.  Then (of course) technology moved ahead, and we all discovered that the MSSQL drivers were not very good.

The theory that works correctly in MySQL (and I would hope works correctly in MSSQL) goes something like this...

1. When you receive any external input, store it exactly as received in your database.  All that clean-up stuff just mungs the data, so don't do that.  In the MySQLi extension we use an escape function to mark the quotes and other special characters as data without semantic meaning, but this escape sequence is only for communication with the DB engine, and the escape characters are not kept in the database.

2. When you get the data out of the database and want to display it in a browser viewport, use HTMLSpecialChars() to convert the special characters into display entities.

That's it.  If you do those things, it will always work correctly.   Browser displays will look right.  Form input will be correct.  The database will work as needed.

Further to how quotes and apostrophes are used in PHP:
https://www.experts-exchange.com/articles/12241/Quotation-Marks-in-PHP.html

Best of luck with your project, ~Ray
0
 

Author Closing Comment

by:rwlloyd71
ID: 41904280
Thanks Guys.

I have actually swapped my " and ' within the statement for the time being and it has got me round the problem for now.

I'm going to check out the HERDOC and HTMLSppecialCharacters and work out what is best for me.

PS. I am using SQLSRV drivers on MSSQL
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 41904299
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this tutorial viewers will learn how to code links for mobile sites that, once clicked, send a call or text to a specified number. For a telephone link (once clicked, calls a number), begin with a normal "<a href=" link tag. For the href, specify…
The viewer will learn how to count occurrences of each item in an array.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question