SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    SitePoint Zealot
    Join Date
    Jul 2003
    Location
    London
    Posts
    189
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    those damn quotes

    hi all, i've been having a problem with quotes and hyphens with my php for a while.

    while i know understand the basics and get submit and extract text with these froma database my particular question is more complicated so i decided to strip down my code and post it so explain why its a problem and hopefully someone can help

    essentially user posts something via form, this is then previewed and the addde to db. its not submited directly. so my code works fine when no quotes are used. but put one in and you have a problem.

    i've tried stripslashes and many other functions but none work for this. i've tried different ways of doing it with no luck. i really need help

    Code:
    <?php
    
    @$form_element = addslashes($_POST['element']);
    
    // prepare the form
    
    $form1 = "<form action='preview.php?stage=preview' method='post'>		  
    				<table width='100%' border='1' cellspacing='0' cellpadding='5'>
    				  <tr>
    					<td>Your Comment:</td>
    					<td><input name='element' type='text' value='$form_element'></td>
    					<td><input type='submit' value='Submit Entry' class='button'></td>
    				  </tr>
    				</table>
    			  </form>";
    
    // display form if first time on page
    			  			  
    if ($_GET['stage'] == "start")
    {
    	echo $form1;
    }
    
    // display preview on submit
    
    if (@$_GET['stage'] == "preview")
    {
    
    	echo "Preview Form:<br><br>";	
    	echo " <table width='100%' border='1' cellspacing='0' cellpadding='5'>
    			  <tr>
    				<td>$form_element</td>
    			  </tr>
    			</table>";
    
    	echo "<form action='preview.php?stage=end' method='post'>
    		  <input type='hidden' name='element' value='$form_element'>
    		  <input type='submit' value='Add Entry'>
    		  </form>";
    }
    
    // display confirmation page and submit to database
    	
    if ($_GET['stage'] == "end")
    {
    	$query = "insert into element (element) values ('$form_element')";
    	$result = mysql_query($query) or die ("Couldn't execute query.");
    	echo "Your text has been inserted into the database. <a href='preview.php?stage=show'>View</a>";
    }
    
    if ($_GET['stage'] == "show")
    {
    	$query = "select element from element";
    	$result = mysql_query($query) or die ("Couldn't execute query.");
    	$row = mysql_fetch_array($result);
    	$element = stripslashes($row['element']);
    	echo $element;
    }
    
    ?>
    please!!!

    JP

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i've tried different ways of doing it with no luck
    Do, or do not. There is no 'try.'

    PHP Code:
    // Step1. Take data from user input

    if(isset($_REQUEST['form_field']))  {
        
    $input_data $_REQUEST['form_field'];
        if(
    get_magic_quotes_gpc())
            
    $input_data stripslashes($input_data);
    } else {
        
    $input_data "DEFAULT VALUE";
    }

    // Step2. Output the data

    $html_data htmlspecialchars($input_data);
    print 
    $html_data;

    // Step3. Insert data in mysql

    $sql_data addslashes($input_data);
    mysql_query("INSERT INTO
        someTable (fieldName)
        VALUES('
    $sql_data')"); 
    Please read this code snippet carefully. All you need to know is there.

  3. #3
    SitePoint Zealot
    Join Date
    Jul 2003
    Location
    London
    Posts
    189
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok thanks a lot for that code

    i've spent a while on it and have a few questions

    isset check if variable is exists, so is the else in the statement meant to come up if field is blank? i dont realy get the DEFAULT INPUT thing.

    i had alook at magic quotes. is is like a module or does it come with standard php? why do you have to check for it?

    i have no idea how to get from stage 1 to stage 2

    here is what i have so far...

    PHP Code:
    <?php

    // display form if first time on page
                                
    if ($_GET['stage'] == "start")
    {
        echo 
    $form;
    }

    // display preview on submit

    if (@$_GET['stage'] == "preview")
    {

        if(isset(
    $_REQUEST['form_field']))  
        { 
            
    $input_data $_REQUEST['form_field']; 
            if(
    get_magic_quotes_gpc()) 
            {
                
    $input_data stripslashes($input_data);
            }
        } 
        else 
        { 
            
    $input_data "DEFAULT VALUE"
        } 
        
        
    $html_data htmlspecialchars($input_data); 
        echo 
    $html_data
    }

    // display confirmation page and submit to database
        
    if ($_GET['stage'] == "end")
    {
        
    $sql_data addslashes($input_data);
        
    $query "insert into element (element) values ('$sql_data')";
        
    $result mysql_query($query) or die ("Couldn't execute query.");
        echo 
    "Your text has been inserted into the database. <a href='preview.php?stage=show'>View</a>"

    }

    if (
    $_GET['stage'] == "show")
    {
        
    $query "select element from element";
        
    $result mysql_query($query) or die ("Couldn't execute query.");
        
    $row mysql_fetch_array($result);
        
    $element stripslashes($row['element']);
        echo 
    $element;
    }

    ?>

  4. #4
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jappy
    isset check if variable is exists, so is the else in the statement meant to come up if field is blank? i dont realy get the DEFAULT INPUT thing.
    Not "blank", but missing. Imagine you have the following
    Code:
    <form action="process_form.php">
    <input name="username">
    <input type="submit">
    </form>
    When user clicks submit button, your script always receives "username" field in $_REQUEST array. However, if someone decides to invoke your script directly (by typing www.yoursite.com/process_form.php in browser location bar), you won't get this variable, what causes ugly error message (you DO have error_reporting(E_ALL) at the top of your script, don't you). That's why you should always check if field exists before trying to use it.

    i had alook at magic quotes. is is like a module or does it come with standard php? why do you have to check for it?
    This is (unfortunately) standard php. This setting controls how special chars in input should be handled. If someone enters O'Reilly in the form above, your script gets O'Reilly or O\'Reilly depending on that setting. If this setting is on, you should remove extra slashes added by php.

    i have no idea how to get from stage 1 to stage 2
    Stage 2 is optional and only illustrates that you must use htmlspecialchars before outputting anything on the web page.

    The general user input processing schema looks like

    0. at the top of your script write

    error_reporting(E_ALL);
    set_magic_quotes_runtime(0);

    1. check if field name exists in request.
    If it doesn't, use default value or give an error message

    2. if field name exists in request and magic_quotes are ON, remove extra slashes.

    3. if you need to print user input, make a copy of it, apply htmlspecialchars and print the result.

    4. if user input should be added to database, make a copy, apply addslashes and insert the result in your query.
    Note that you don't need to strip slashes when you fetch data from db or any external source. The only purpose of stripslashes is to recover data from magic_quotes.

    Hope this helps.

  5. #5
    SitePoint Guru mwolfe's Avatar
    Join Date
    Mar 2005
    Posts
    912
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was having a hell of a time trying to get my site I built to work with both magic quotes on or off.. Someone gave me the following code.. Although i was very reluctant to use it, eventually I tried it worked flawlessly.. Put this at the top of each page..

    Code:
    	if (get_magic_quotes_gpc())
    	{
    
    	    if (!empty($_GET))    { 
    	    	$_GET    = strip_magic_quotes($_GET); 
    	    }
    	    if (!empty($_POST))   {
    	    	$_POST   = strip_magic_quotes($_POST);   
    	    }
    	    if (!empty($_COOKIE)) { 
    	    	$_COOKIE = strip_magic_quotes($_COOKIE); 
    	    }
    	}
    add this function either in the same file or in a php include file if you already have one that contains functions for your site..

    Code:
    function strip_magic_quotes($arr)
    {
    	    foreach ($arr as $k => $v)
    	    {
    	        if (is_array($v))
    	            { $arr[$k] = strip_magic_quotes($v); }
    	        else
    	            { $arr[$k] = stripslashes($v); }
    	    }
    	
    	    return $arr;
    }
    then just code your entire site as though magic quotes are off.. Although this is a bit wasteful if magic quotes is off already(you could always just delete it if you know your host will not have magic quotes on.. however i was putting the site on a host who i was not sure if i could change the magic quotes setting for because he had a couple other sites he was hosting that used php). All it does is strip all magic quotes that have been added in.. Just make sure that you use mysql_real_escape_string before inserting any form data into your db..

  6. #6
    SitePoint Zealot
    Join Date
    Jul 2003
    Location
    London
    Posts
    189
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok more fiddling and I have it working for double quotes but still not for single quotes

    its passing the variable through the previw phase that is the problem.

    try running the script with a single quot ein it and it displays it fine in preview but cuts it on the hidden field so that it does not go through to the final stage.... ahhhhh

    it would be great of someone could take a look for me

    PHP Code:
    <?php

    // display form if first time on page
                                
    if ($_GET['stage'] == "start")
    {
        echo 
    "Collect Data:<br>";
        echo 
    "<form action='preview.php?stage=preview' method='post'>          
                 <input name='form_field' type='text'>
                 <input type='submit' value='Preview Entry' class='button'>
                </form>"
    ;    
    }

    // display preview on submit

    if (@$_GET['stage'] == "preview")
    {
        
    $input_data $_REQUEST['form_field'];
        if(
    get_magic_quotes_gpc()) 
        {
            
    $input_data stripslashes($input_data);
        }

        echo 
    "Preview Data:<br><br>";
        echo 
    $input_data
            
        echo 
    "<br><form action='preview.php?stage=end' method='post'>
              <input type='text' name='form_field' value='
    $input_data'>
              <input type='submit' value='Add Entry'>
              </form>"
    ;
    }

    // display confirmation page and submit to database
        
    if ($_GET['stage'] == "end")
    {
        
    $input_data $_REQUEST['form_field']; 
        
    $input_data addslashes($input_data);
        
    $query "insert into element (element) values ('$input_data')";
        
    $result mysql_query($query) or die ("Couldn't execute query.");
        echo 
    "Your text has been inserted into the database. <a href='preview.php?stage=show'>View</a>"

    }

    if (
    $_GET['stage'] == "show")
    {
        
    $query "select element from element";
        
    $result mysql_query($query) or die ("Couldn't execute query.");
        
    $row mysql_fetch_array($result);
        
    $element stripslashes($row['element']);
        echo 
    $element;
    }

    ?>

    JP


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •