Solved

Apostophes in PHP generated form

Posted on 2016-11-28
6
20 Views
Last Modified: 2016-11-28
Hi

I have a problem with the old chestnut of apostrophes in forms. I know the answer lies in the addslahes/ stripslashes/ htmlspecialcharacters/ html entities functions.

My form gathers surnames, such as O'Connor. Before I pass them to an sql to add to a MSSQL database, I run them through a function to clean them up:

function test($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = str_replace('&', '&', $data);
  $data = rtrim(ltrim($data));
  return $data;

The data is stored in the database correctly

I retrieve the data and display it in a form text field:
<input type='text' name='surname' value='".$row['surname']."' id='surname'/>

Only the "O" is displayed, the ' is being confused with the php ' in the ."'

Using Chrome Inspector, I can see that the data is being parsed as
<input type="text" name="surname" value="O\" byrne'="" id="surname">
and the view-source gives:
<input type='text' name='surname' value='O\'Byrne' id='surname'/>

Please can someone let me know the proper course of action that I need to take to get the text to display properly in the form field.

Thank you
0
Comment
Question by:rwlloyd71
  • 2
  • 2
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 41903999
Why are you not using double quotes for the attributes - as is the standard?
0
 

Author Comment

by:rwlloyd71
ID: 41904009
Hi.

Thanks for your reply.

The page/form is written is generated dynamically in php, as below:

If ($var=='1'){
echo "<input type='text' name='surname' value='".$row['']."' />";
}

Therefore I need the combination on single and double quotes to stay as they are.

If only it was that easy! To switch the double and single quotes round would mess up my entire coding structure.
0
 
LVL 51

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 41904027
Rather use HEREDOC for your strings it allows you to combine both single and double quotes as well as embed vars

If ($var=='1'){
echo <<< INPUT
  <input type="text" name="surname" value="{$row['surname']}" />
INPUT;
}

Open in new window

Makes all the quotation issues better
1
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41904064
What DB driver are you using?

PHP has a long and painful history with quote marks.  First there was the magic quotes / addslashes mess.  Then (of course) technology moved ahead, and we all discovered that the MSSQL drivers were not very good.

The theory that works correctly in MySQL (and I would hope works correctly in MSSQL) goes something like this...

1. When you receive any external input, store it exactly as received in your database.  All that clean-up stuff just mungs the data, so don't do that.  In the MySQLi extension we use an escape function to mark the quotes and other special characters as data without semantic meaning, but this escape sequence is only for communication with the DB engine, and the escape characters are not kept in the database.

2. When you get the data out of the database and want to display it in a browser viewport, use HTMLSpecialChars() to convert the special characters into display entities.

That's it.  If you do those things, it will always work correctly.   Browser displays will look right.  Form input will be correct.  The database will work as needed.

Further to how quotes and apostrophes are used in PHP:
https://www.experts-exchange.com/articles/12241/Quotation-Marks-in-PHP.html

Best of luck with your project, ~Ray
0
 

Author Closing Comment

by:rwlloyd71
ID: 41904280
Thanks Guys.

I have actually swapped my " and ' within the statement for the time being and it has got me round the problem for now.

I'm going to check out the HERDOC and HTMLSppecialCharacters and work out what is best for me.

PS. I am using SQLSRV drivers on MSSQL
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41904299
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
This article discusses four methods for overlaying images in a container on a web page
In this tutorial viewers will learn how to style a corner ribbon overlay for an image using CSS Create a new class by typing ".Ribbon":  Define the class' "display:" as "inline-block": Define its "position:" as "relative": Define its "overflow:" as …
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now