SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Location
    Virginia, USA
    Posts
    61
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    difference between text and textarea with addslashes?

    Is there a difference between a text box and textarea when using addslashes?
    Magic quotes is off and I addslashes before I insert into my database. When I get the information out of my database the data has an extra \ before any "'" if it is from the text box, but information that I have inserted from the textarea to the database comes out fine with "'" in it.

    <?php
    <input type="text" name="Job_Title" size="35" maxlength="51" value="<?php echo $_SESSION['Job_Title']?>">

    <textarea name="Description" rows="4" cols="35"><?php echo $_SESSION['Description'] ?></textarea>
    ?>

    I'm not sure if I'm using the "" and '' correctly with $_SESSION and value=. I have tried a bunch of combinations but nothing gets rid of the \ from the text box.

  2. #2
    gingham dress, army boots... silver trophy redux's Avatar
    Join Date
    Apr 2002
    Location
    Salford / Manchester / UK
    Posts
    4,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    text inputs and text areas shouldn't have any differences.
    maybe you're doing some extra adding/removing of slashes at other points in your scripts ?
    as a rule (and sorry if this sounds patronising...not sure what the problem might be, so covering the simple things first) addslashes to anything you put into the database, and then display it with stripslashes when you get it out of the database.
    re·dux (adj.): brought back; returned. used postpositively
    [latin : re-, re- + dux, leader; see duke.]
    WaSP Accessibility Task Force Member
    splintered.co.uk | photographia.co.uk | redux.deviantart.com

  3. #3
    SitePoint Guru dragonhawk's Avatar
    Join Date
    Apr 2002
    Location
    Melbourne
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    just adding to redux...

    if you don't have addslashes, anyone entering stuff like " or ' or $ may cause a few problems when you want to retrieve the values from the database.

    Therefore it is safer to use addslashes if there is a chance of the user entering these characters (I think there are more though)...

    And when retrieving the info from the db, don't forget stripslashes otherwise you'll be seeing \" or \' or \$ in front of those values.

    Can be kind of a put off if customers see a page full of those.

    So in your case,

    <textarea name="Description" rows="4" cols="35"><?php echo $_SESSION['Description'] ?></textarea>

    try

    <textarea name="Description" rows="4" cols="35"><?php echo stripslashes($_SESSION['Description']) ?></textarea>

  4. #4
    SitePoint Enthusiast
    Join Date
    May 2002
    Location
    Pittsburgh PA
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How does this change if you have a $PHP_SELF three-stage script? I have a preview and "filled-in" form, before sending my text to a db, similar to this forum.

    It seems I have to addslashes() to the first appearance, stripslashes and then add them if there is more than one go-round on the preview before sedning them to the db. Does that sound sensible or is there another strategy?

    Alex

  5. #5
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    *sigh* you people with stripslashes() from the database!

    you never, never, never should need to use stripslashes() when retrieving data! if you do, you aren't inserting the text properly. see my post in this thread (the 3rd one): http://www.sitepointforums.com/showt...threadid=68200

    please get the data in correctly! it'll save space in the DB and save time when retrieving.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  6. #6
    SitePoint Enthusiast
    Join Date
    May 2002
    Location
    Pittsburgh PA
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not retrieving.

    If in an HTML text box someone enters: "Hi there"

    It gets passed to the variable name=text_box_stuff.

    When it arrives in the next stage of the PHP_SELF in which I have the following PHP:
    PHP Code:
    <input type="text" name="text_box_stuff" size="20" value="<?php print "$text_box_stuff" "?>
    which will produce the following HTML:
    PHP Code:
    <input type="text" name="text_box_stuff" size="20" value=""Hi There""
    Which means, because of the now paired quote marks it will be rendered in the browser as an "empty" box even though there is text in the box.

    In addition I am trying to construct a longer string variable from the elements of the form. I don't really need the individual pieces in the database - only the final string.

    That's my current dilema.
    Alex

  7. #7
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sorry Alex, i wasn't talking about you with stripslashes(). to fix your problem with someone typing a quote, use htmlspecialchars():

    PHP Code:
    <input type="text" name="text_box_stuff" size="20" value="<?php echo htmlspecialchars($text_box_stuff)?>" />

  8. #8
    SitePoint Addict whofarted's Avatar
    Join Date
    Aug 2001
    Location
    lost, If you find me please return me to St.Louis
    Posts
    396
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by DR_LaRRY_PEpPeR
    *sigh* you people with stripslashes() from the database!

    you never, never, never should need to use stripslashes() when retrieving data! if you do, you aren't inserting the text properly. see my post in this thread (the 3rd one): http://www.sitepointforums.com/showt...threadid=68200

    please get the data in correctly! it'll save space in the DB and save time when retrieving.
    I've tried that but but I have to use addslashes to insert some text & if I don't use stripslashes to retrieve it I get all slahes around stuff. so it appearently isn't working for everyone like you say.
    You smell something?

  9. #9
    SitePoint Enthusiast
    Join Date
    May 2002
    Location
    Pittsburgh PA
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks,Dr. Pepper. Now I see where that function is used.

    So If someone were to stick in an "echo $var" in the textbox would I need:
    PHP Code:
    <input type="text" name="text_box_stuff" size="20" value="<?php echo addslashes(htmlspecialchars($text_box_stuff))?>" />
    ???

    (Perhaps I losing track of what PHP is doing and what HTML/Browser is doing)
    aLEX

  10. #10
    SitePoint Guru dragonhawk's Avatar
    Join Date
    Apr 2002
    Location
    Melbourne
    Posts
    707
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by whofarted


    I've tried that but but I have to use addslashes to insert some text & if I don't use stripslashes to retrieve it I get all slahes around stuff. so it appearently isn't working for everyone like you say.
    me too... that happens to me too...

  11. #11
    SitePoint Enthusiast
    Join Date
    Jun 2002
    Location
    Virginia, USA
    Posts
    61
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    fixed

    I had one too many addslashes in my code. Funny how everything looks clearer in the morning.
    When searching through a database do you need to addslashes as well?

    <?php
    $Job_Title = myAddSlashes($_POST['edit']);

    // Query the database and establish connection
    dbConnect('STL_JOB');

    // Check for existing job with the new job_title
    $sql = "SELECT COUNT(*) FROM JOB WHERE JOB_TITLE = '$Job_Title'";
    ?>

  12. #12
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, or like HarryF's article said:

    Say you have a thing "This is Bob's first post", it would do this:

    SELECT * FROM table WHERE text='This is Bob'

    and then it'll error saying sometihng liek:

    You have an error in your SQL syntax near 's first post'
    Becuase it doesn't know what to do with teh stuff after the quote.

    Almost all teh above si from HarryF's Article: http://www.pinkgoblin.com/quotesarticle.php

    I jsut re-worded some of it.

    Thanks,
    ~someonewhois

  13. #13
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    Location
    Switzerland
    Posts
    2,479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now I'm happy when someonewhois "quotes" me

    Join the war on quotes!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •