SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Wizard lukeurtnowski's Avatar
    Join Date
    Mar 2003
    Location
    Coronado
    Posts
    1,665
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)

    ' in a combo box?

    On a form I have a combo box where ont of the optiont is "Don't know". Im writing it to a mysql database and when I display the data, it looks like Don\'t know (I set up no combo box like this).
    HTML Code:
    <select name="ASP_Type">
    	<option value="Don&#39;t know">Don't know</option>
    	<option value="Agency">Agency</option>
    	<option value="Driver">Driver</option>
    	<option value="Independent">Independent</option>
    </select>
    How can I insert a ' and display a '?
    Thanks...
    "Oh, and Jenkins--apparently your mother died this morning."

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Use stripslashes before outputting it.
    Saul

  3. #3
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    echo htmlspecialchars($var, ENT_QUOTES);

  4. #4
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When are you displaying the data?
    What would normally happen by default is that PHP with magic quotes on would escape the single quote (turn it into \').
    This is so your SQL insert query doesn't treat the ' as special, and can insert it as a normal character. The data stored in the DB should not include the slash.
    When you SELECT from the DB you should only be getting the '
    However it's a good idea to use htmlspecialchars to convert that to the HTML character code when DISPLAYING the data.

    Basically the ' has potential to break both SQL queries, and HTML code. They are seperate issues caused by the same character.
    When INSERTING data the string must be escaped (often done automatically if magic_quotes is enabled), and when displaying data it should be encoded as described above.

    If your echoing the variable directly from PHP (as opposed to selecting it from MySQL) and it's already been escaped you'll need to use stripslashes as mentioned to remove the escape characters.

    Does that make sense?

  5. #5
    SitePoint Wizard lukeurtnowski's Avatar
    Join Date
    Mar 2003
    Location
    Coronado
    Posts
    1,665
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Yes, thanks for explaining it to me. However this seems to work,
    PHP Code:
     $ASP_Type $_POST["ASP_Type"];
     
    $type stripslashes($ASP_Type); 
    But you say this is better,
    PHP Code:
     $ASP_Type $_POST["ASP_Type"];
      
    $typehtmlspecialchars("$ASP_Type"ENT_QUOTES); 
    Which method is better?
    And I am using a MySQL database and when I used the 1st method, it writes Don't know in the database.
    "Oh, and Jenkins--apparently your mother died this morning."

  6. #6
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here is my complete recommendation:
    1. Turn magic quotes off using php.ini or more likely .htaccess on a shared server
    2. you are now responsible for escaping data before inserting it into the DB. In this case escaping means using addslashes or mysql_real_escape_string on any data before it gets inserted. This will turn ' into \' so that the single quote doesn't interrupt your SQL query (do a search for SQL injection attacks for more info)
    3. Before DISPLAYING data you should be using htmlspecialchars with the ENT_QUOTES flag. This converts < > & ' and " to their character codes. This is a related but seperate issue to escaping for DB insertion. The reason for this is to avoid having invalid HTML that could break your layout. Do not use htmlspecialchars before inserting to DB.


    Things get a bit tricky if you want to insert a variable into a DB and also display it to the browser in the same execution.
    In this case you either need make a copy of the variable, escape one for DB insertion, and use htmlspecialchars on the other variable for display
    OR
    You need to escape the var for DB insertion, then use stripslashes to get it back to how it was, and then use htmlspecialchars to encode it for output.

    It might be worth mentioning that htmlspecialchars should be used regardless of DB usage. Anytime your displaying data that could contain < > & " or ' it should be encoded so those chars are converted to character entities.

    In a nutshell the special chars can "break" things. You use htmlspecialchars to avoid those characters breaking your HTML and you use addslashes or equivilant to avoid breaking your SQL query.
    In both cases the idea is to remove the special meaning those characters have.

    I don't know if I've explained that well.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •