Solved

Apostophes in PHP generated form

Posted on 2016-11-28
6
58 Views
Last Modified: 2016-12-28
Hi

I have a problem with the old chestnut of apostrophes in forms. I know the answer lies in the addslahes/ stripslashes/ htmlspecialcharacters/ html entities functions.

My form gathers surnames, such as O'Connor. Before I pass them to an sql to add to a MSSQL database, I run them through a function to clean them up:

function test($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = str_replace('&', '&', $data);
  $data = rtrim(ltrim($data));
  return $data;

The data is stored in the database correctly

I retrieve the data and display it in a form text field:
<input type='text' name='surname' value='".$row['surname']."' id='surname'/>

Only the "O" is displayed, the ' is being confused with the php ' in the ."'

Using Chrome Inspector, I can see that the data is being parsed as
<input type="text" name="surname" value="O\" byrne'="" id="surname">
and the view-source gives:
<input type='text' name='surname' value='O\'Byrne' id='surname'/>

Please can someone let me know the proper course of action that I need to take to get the text to display properly in the form field.

Thank you
0
Comment
Question by:rwlloyd71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Julian Hansen
ID: 41903999
Why are you not using double quotes for the attributes - as is the standard?
0
 

Author Comment

by:rwlloyd71
ID: 41904009
Hi.

Thanks for your reply.

The page/form is written is generated dynamically in php, as below:

If ($var=='1'){
echo "<input type='text' name='surname' value='".$row['']."' />";
}

Therefore I need the combination on single and double quotes to stay as they are.

If only it was that easy! To switch the double and single quotes round would mess up my entire coding structure.
0
 
LVL 57

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 41904027
Rather use HEREDOC for your strings it allows you to combine both single and double quotes as well as embed vars

If ($var=='1'){
echo <<< INPUT
  <input type="text" name="surname" value="{$row['surname']}" />
INPUT;
}

Open in new window

Makes all the quotation issues better
1
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41904064
What DB driver are you using?

PHP has a long and painful history with quote marks.  First there was the magic quotes / addslashes mess.  Then (of course) technology moved ahead, and we all discovered that the MSSQL drivers were not very good.

The theory that works correctly in MySQL (and I would hope works correctly in MSSQL) goes something like this...

1. When you receive any external input, store it exactly as received in your database.  All that clean-up stuff just mungs the data, so don't do that.  In the MySQLi extension we use an escape function to mark the quotes and other special characters as data without semantic meaning, but this escape sequence is only for communication with the DB engine, and the escape characters are not kept in the database.

2. When you get the data out of the database and want to display it in a browser viewport, use HTMLSpecialChars() to convert the special characters into display entities.

That's it.  If you do those things, it will always work correctly.   Browser displays will look right.  Form input will be correct.  The database will work as needed.

Further to how quotes and apostrophes are used in PHP:
https://www.experts-exchange.com/articles/12241/Quotation-Marks-in-PHP.html

Best of luck with your project, ~Ray
0
 

Author Closing Comment

by:rwlloyd71
ID: 41904280
Thanks Guys.

I have actually swapped my " and ' within the statement for the time being and it has got me round the problem for now.

I'm going to check out the HERDOC and HTMLSppecialCharacters and work out what is best for me.

PS. I am using SQLSRV drivers on MSSQL
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 41904299
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
This article discusses how to implement server side field validation and display customized error messages to the client.
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question