Help with displaying the name "O'Brien" from a database to an input box

PHP
1

Hi folks,

I’m using php and a mysql database. I’ve a page where users can edit a name. When i select to edit the name “O’Brien” the only thing that appears in the input box is “O” before i start editing it. When these names are added i have the code below featured before it writes it to the database:



  $SurName=mysql_real_escape_string($_POST['inputSurName']);

I thought that would have fixed it, as it’s writing “O’Brien” to the database but it’s not. Below is the code from the form that displays the name in the text box:



$query = "SELECT * FROM tblpupil WHERE PupilID = $id";
	
	
	$result = mysql_query($query);
	
	
	
	while($row = mysql_fetch_array($result)) {
		echo "<form method=post action=editname2.php?id=" . $row['PupilID'] . ">";
		echo "<table border=0 cellSpacing=2 cellPadding=1 width=90%>";
		echo "<tr><td colspan=4><FONT align=left color=#808080 size=5>Edit Pupil Name</Font></td></tr>";
		
		echo "<TR><TD></td></tr><TR><TD></td></tr><TR><TD></td></tr>";
		echo "<tr><td width=50%>First Name</td>";
		echo "<td><input type=text name=editFirstName size=20 value='" . $row['FirstName'] . "'></td></tr>";
		echo "<tr><td>Surname</td>";
		echo "<td><input type=text name=editSurName size=20 value='" . $row['SurName'] . "'></td></tr>";
		echo "<tr><td colspan=2 align=center><input type=submit name=submit value=Save>  <input type=submit name=cancel value=Cancel></td></tr></table>";
		
	}

Here the surname is for the pupil Stephen O’Brien is displaying just “O”. Does anybody know how to fix this? Any help would be greatly appreciated.

Thanks guys!

2

If you visualize what the html output would look like, you would visualize something like this:

<input type=text name=editSurName size=20 value='O'Brien'>

And, as you can see, the single quote in the name is serving as the closing quote for the value=‘’.

The solution would be to output the name as html entities:


echo "<td><input type=text name=editSurName size=20 value='" . htmlentities($row['SurName']) . "'></td></tr>";
3

Right explanations but wrong code.
htmlspecialchars($row[‘SurName’],ENT_QUOTES)
would do the trick

4

thanks for sharing… I have been using sonjay’s method up until, well now :smiley:

will give this a try in the next few mins.

5

I see that the ENT_QUOTES optional parameter is needed to make it convert the single quotes. I always doublequote my value=“” so I don’t typically need that for this type of thing.

But both htmlentities and htmlspecialchars have the ENT_QUOTES option. Is there a reason htmlspecialchars would be preferable to htmlentities?

6

htmlspecialchars is general purpose tool, does as little, as not to harm anything. should be used by default.
htmlentities is very complicated tool, will do many unexpected things and should be used with caution, not by default.
it is strongly suggested to use utf-8 encoding instead of use of htmlentities
I doubt one want their text to be represented with entities. So - don’t use it. Especially if you want to convert only control chars, not text

7

thanks for all your help, worked like a charm

8

Your responses sent me off in search of more information on the differences between the two functions. Thanks for the heads-up. I learned that I’ve been using htmlentities() in a lot of places where I should be using htmlspecialchars().