Possible escaping quotes problem

This script displays the way I need it to when I manually insert it into my script with the correct value for $expdat: <span style=“background-color:yellow”>Expires ’ . $expdat . '. </span>

How should I escape the quotes to be able to echo it from a mysql table?

If I just INSERT it (as is) into a mysql table and echo it from there, it displays as: Expires ’ . $expdat . '.

Simple answer, use addslashes() for escaping the data going into the database and [URL=“http://www.php.net/manual/en/function.stripslashes.php”]stripslashes() for the data leaving the database.

You don’t need stripslashes for data coming out of the database. It should be stored correctly in the database, i.e. not like “It\'s Wednesday” when you view the table.

You need [fphp]htmlspecialchars[/fphp] when outputting to HTML. Use the ENT_QUOTES option to convert single quotes too. That will keep your HTML intact.

So, if $var = <span style=/“background-color:yellow/”>Expires/’ . $expdat . /'. </span>

How do I need to change this script?:
echo ‘<p style=“font-size:9px;margin:0px;”>’ . stripslashes($dclaim) . ‘</p>’;

So, if $var = <span style=“background-color:yellow”>Expires ’ . $expdat . '. </span>

How close is this script to working?:

$var = htmlspecialchars($var);
echo ‘<p style=“font-size:9px;margin:0px;”>’ . $var . ‘</p>’;

If you ever need to escape a character it’s a backslash, not a forward one. And you can often get around it with your choice of quotes.


$var = "<span style='background-color: yellow;'>Expires: $expdat</span>";
echo "<p style='font-size: 9px; margin: 0px;'>$var</p>";

Depending on what characters $expdat contains you may need to run it through htmlspecialchars

Almost there:


$var = htmlspecialchars($var,ENT_QUOTES);

To actually deal with single quotes properly.
PHP: htmlspecialchars - Manual

Save yourself some typing by creating a function called escape and use it to call htmlspecialchars.

I couldn’t get it to work.

$dclaim = htmlspecialchars($dclaim,ENT_QUOTES); 
  		    echo '<p style="font-size:9px;margin:0px;">' . $dclaim . '</p>';

displayed: <span style=“background-color:yellow”>Expires ’ . $expdat . '.</span>

Post more of your code including where $dclaim and $expdat are set.


include_once "connect_to_mysql.php";
$result = mysql_query("SELECT * FROM stk WHERE id = 288") or die(mysql_error());
while ($row = mysql_fetch_array($result)) {
$pic = $row['pic'];
$pic2 = explode("-",$pic);
$expdate = $pic2[3];
$expdat =  substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);
$dclaim = $row['dclaim'];
$dclaim = htmlspecialchars($dclaim,ENT_QUOTES);
//$dclaim = <span style=\\"background-color:yellow\\">Expires $expdat. </span>
//$expdat = 06/09/12
echo '<p style="font-size:9px;margin:0px;">' . $dclaim . '</p>';

This script displays the code in $dclaim without the value of $expdat.
What do I need to change?


$expdate = $pic2[3];

$expdat =  substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);

$dclaim = $row['dclaim'];

$dclaim = htmlspecialchars($dclaim,ENT_QUOTES);

// Notice the . in front of the =
// This cats your expdate onto the end of declaim
$dclaim .= "<span style=\\"background-color:yellow\\">Expires $expdat. </span>";


echo '<p style="font-size:9px;margin:0px;">' . $dclaim . '</p>'; 

Alternative approach, perhaps easier to undestand:


$expdat =  substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);
$dclaim = $row['dclaim'];

// Exit out of php
?>
<p style="font-size:9px;margin:0px;">
  <?php echo htmlspecialchars($dclaim,ENT_QUOTES); ?>
 <span style="background-color:yellow">
    Expires <?php echo $expdat; ?>.
 </span>  
</p>
<?php
  // And back to php

thread 11 is fine, except “<span style=\“background-color:yellow\”>Expires $expdat. </span>” is displayed twice. Once correctly and the other is incorrect.

The correct display comes from: $dclaim .= “<span style=\“background-color:yellow\”>Expires $expdat. </span>”;

The incorrect display comes from the mysql table:
$dclaim = $row[‘dclaim’];
$dclaim = htmlspecialchars($dclaim,ENT_QUOTES);

the correct display needs to come from the mysql table.

How do you do that with this approach?

I am having trouble understanding what you mean.
What output do you get?
What output do you expect?
What is the value of $row[‘declaim’]?

What output do you get?

Thread #11 output (Expires 06/09/12. is in yellow BG):<span style=\“background-color:yellow\”>Expires $expdat. </span> Expires 06/09/12.

What output do you expect?

I expect (in yellow BG): Expires 06/09/12.

What is the value of $row[‘declaim’]?

The value is:<span style=\“background-color:yellow\”>Expires $expdat. </span>

I hope this helps

You are storing html directly in the database? And storing the name of a php variable in there as well?

Step back a bit. What exactly are you trying to do?

Yes to both questions.

How should I do it?

The hole in my script looks like this:

< div>

<p style=“font-size:9px;margin:0px;”>Something that says “Expires 06/09/12” </p>;

</div>

my thinking is that date value would be stored in a column called “expdate” and some html would be sored in a column named “dclaim” and there’d be a php variable in the html for the date

Why do you need the html to be stored in the database? That is a bit unusual.


<?php
$expdat =  substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);
?>
<p style="font-size:9px;margin:0px;">
 <span style="background-color:yellow">Expires <?php echo $expdat; ?>.</span>  
</p>

First you collect the data then you send it out.

If you really want to store html in your database then you will need some sort of custom template processor for it.

OK. Thanks for all your help ahundiak, cranial-bore, and SgtLegend.