How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?
Related
I have a hint echo'd however, i have a issue with " and ' i can echo numerical values to the string, but not words..
$hint='<a href="javascript:void(0)"
onclick="javascript:document.contactForm.musicDetailTitle4.value=5;
document.contactForm.musicDetailArtist4.value=foo;">fill form</a>'.
5 works but foo doesn't works.
UPDATE
Still not getting an output
$hint='fill form'.
Whole Code
echo $hint='fill form'.$artist."-".$title."-".$id."</a>";
Output is...
fill formTomato Soup-Heinz-0001fill formTomato Soup-Heinz-0001
You need to escape the quotes
$hint='fill form'.
It doesn't have much to do with PHP but rather JavaScript.
When passing a numeric value you just pass the number itself, but when passing strings you must wrap them in quotations otherwise the compiler will mistake "foo" for a variable named foo which may or may not exist.
As others mentioned, all you have to do is wrap your string like so:
\'foo\'
The slashes are because you don't want to close your echo which was also opened using a single quote, so you need to escape the character so when it's echoed to the user it will become 'foo'.
Try this -
$hint='fill form'.
When declaring a string value you must add quotes, and when adding it in this way you must escape those quotes using the \ key.
I have some question about saving html code in mysql database
every time when I put the charter " ' " in the database it changes to " / ".
Example:
somthing like that
<p>That's my name</p>
After saving it look like this:
<p>That\'s my name</p>
what can i do?
thank u all
Use parameterized queries to escape data going into the database
Use nothing else to escape data going into the database (otherwise you will double escape which can use this problem)
Do not use mysql_real_escape_string
Do not use addslashes
etc
Do not escape data coming out of the database (since that will cause this problem)
Make sure magic quotes are disabled (since having them turned on will escape data going into and out of the database and cause this problem).
You are using addslashes like escape functions in your code.
addslashes() — Quote string with slashes - http://php.net/manual/en/function.addslashes.php
stripslashes() — Un-quotes a quoted string - http://php.net/manual/en/function.stripslashes.php
Use stripslashes to remove '\' from HTML data. Actually (') is used define string in MySql, so it ecaspe it (by putting \ in-front) in order to avoid any unintentional use.
For example I want to store the String "That's all". MySQL automatically escapes the ' character. How do I echo that String from the database using php but remove the \ in front of escaped characters like \' ? I would also like to preserve other formatting like new lines and blank spaces.
Have you tried stripslashes(), regarding the linebreaks just use the nl2br() function.
Example:
$yourString = "That\'s all\n folks";
$yourString = stripslashes(nl2br($yourString));
echo $yourString;
Note: \\ double slashes will turn to \ single slashes
You should probably setup your own function, something like:
$yourString = "That\'s all\n folks";
function escapeString($string) {
return stripslashes(nl2br($string));
}
echo escapeString($yourString);
There are also several good examples in the nl2br() docs
Edit 2
The reason your are seeing these is because mysql is escaping line breaks, etc. I am guessing you are using mysql_* functions. You should probably look into mysqli or PDO.
Here is an example:
$yourString = "That's all
folks";
echo mysql_escape_string($yourString);
Outputs:
That\'s all\r\n folks
If you use prepared statements, those characters will not be escaped on insert.
Use stripslashes() to remove slashes if you cannot avoid adding slashes on input.
At first, magic_quotes_gpc escapes the character like ' or ". You can also disable this in your php.ini. But then you should escape the things yourself that no query can get "infected".
Lookup mysql injection for more information.
When the escaped string is been written in your database. The string doesn't contain theses escape charakters and when you output them again. You should see the result as you want it.
Me for myself prefer the method by storing everything without escapes and escape or display things when I output them. You could also easily use an str_replace("\n", "", $text) to prevent newslines are displayed.
Greetings MRu
I have built a search engine using php and mysql.
Problem:
When I submit a word with an apostrophe in it and return the value to the text field using $_GET the apostrophe has been replaced with a backslash and all characters after the apostrophe are missing.
Example:
Submitted Words: Just can't get enough
Returned Value (Using $_GET): Just can\
Also the url comes up like this:search=just+can%27t+get+enough
As you can see the ' has been replaced with a \ and get enough is missing.
Question:
Does anybody know what causes this to happen and what is the solution to fix this problem?
The code:
http://tinypaste.com/11d62
If you're running PHP version less than 5.3.0, the slash might be added by the Magic Quotes which you can turn off in the .ini file.
From your description of "value to the text field" I speculate you have some output code like this:
Redisplay
<input value='<?=$_GET['search']?>'>
In that case the contained single quote will terminate the html attribute. And anything behind the single quote is simply garbage to the browser. In this case applying htmlspecialchars to the output helps.
(The backslash is likely due to magic_quotes or mysql_*_escape before outputting the text. I doubt the question describes a database error here.)
Update: It seems it's indeed an output problem here:
echo "<a href='searchmusic.php?search=$search&s=$next'>Next</a>";
Regardless of if you use single or double quotes you would need:
echo "<a href='searchmusic.php?search="
. htmlspecialchars(stripslashes($search))
. "&s=$next'>Next</a>";
(Notice that using stripslashes is a workaround here. You should preserve the original search text, or disable the magic_quotes rather.)
Okay I forgot something crucial. htmlspecialchars needs the ENT_QUOTES parameter - always, and in your case particularly:
// prepare for later output:
$search = $_GET['search'];
$html_search = htmlspecialchars(stripslashes($search), ENT_QUOTES);
And then use that whereever you wanted to display $search before:
echo "<a href='searchmusic.php?search=$html_search&s=$next'>Next</a>";
Single quotes are important in PHP and MySQL.
A single quote is a delimeter for a string in PHP, for example:
$str = 'my string';
If you want to include a literal quote inside a string you must tell PHP that the quote is not the end of the string. It is escaped with the backslash, for example:
$str = 'my string with a quote \' inside it';
See PHP Strings for more on this.
MySQL operates in a similar way. An example query might be:
$username = 'andyb';
$quert = "SELECT * FROM users WHERE user_name = '$username'";
The single quote delimits the string parameter. If the $username included a single quote, this would cause the query to end prematurely. Correctly escaping parameters is an important concept to be familiar with as it is one attack vector for breaking into a database - see SQL Injection for more information.
One way to handle this escaping is with mysql_real_escape_string().
How can I make it possible for users to use the '"' (double quote) inside a textfield...
Whenever I do use double-quote in the field (the value) then when receiving the variable in my PHP file with:
$text=mysql_real_escape_string($_POST['subject']);
and then echo it, I get a string which is escaped properly, but the string stops exactly before the double-quote!
I dont want it to stop because of the double-quote though!
Javascript is used to validate the text-field so its not empty, maybe I should do something more with javascript when validating, and altering the value, so php can get the correct value including the double quotes?
Thanks
UPDATE
CODE:
$headline= mysql_real_escape_string($_POST['headline']);
echo htmlentities($headline);
I have tried merging the two above, will only give the same results.
NOTE: I have ALSO TRIED adding ENT_QUOTES into the htmlentities function...
Unformatted string as entered:
+ , . ; : - _ space & % ! ? = # * ½ # / \ [ ]< > " ' hej hej
will output this when echoing it:
+ , . ; : - _ space & % ! ? = # * ½ # / \\ [ ]< >
You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.
mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).
EDIT: Added parameters. Thanks to micahwittman
The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.
You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:
// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);
// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);
// Store the headline in the database
...
?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />
...
Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.
You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?