We Keep Coding

How to escape MS-SQL output in html/php?

Sounds very simple, but I'm kinda confused at the moment.
I have this DB object which includes some values that I want to output in an html form.
Simplified Problem:
$result is my db object and this is the html input where I want to output some text which can include double or single quotes.
<input class="someclass" name="desc" id="descID" type="text" value="<?=$result['desc'];?>" placeholder="<Description>" />
So if $result['desc'] contains text like this: 'Did you hear about "foobar"?'
everything after the first double quote gets cut off and ends up like this: 'Did you hear about '.
What i have tried already without success:
htmlspecialchars like this value="<?=htmlspecialchars($result['desc']);?>" or like this value="<?=htmlspecialchars($result['desc'], ENT_QUOTES);?>"
addslashes
Note: My DB(mssql) saves the string properly. Only have the problems in my html.
I would be glad if you could help me out here. Thanks.

Thanks for the help so far, but i managed to find a solution to this:
<?$descEscaped = str_replace('"', '"', $result['desc']);?>
<input class="someclass" name="desc" id="descID" type="text" value="<?= htmlspecialchars($descEscaped);?>" />

htmlspecialchars replaces quotes with """.
I am using my simple function htmlliteral:
function htmlliteral($s){
return '"'.htmlspecialchars($s).'"';
}
With this function you can use:
$descEscaped = htmlliteral($result['desc']);
print "<input class=someclass name=desc id=descID type=text value=$descEscaped />";

php variables seems to be the same but they are not identical

I have 2 php variables:
$account_name
$my
If I use function:
var_dump($account_name);
I get:
string(192) "admin"
$account_name is displayed like a link to account name
If I use function:
var_dump($my);
I get:
string(5) "admin"
How can I change variable $account_name that return my only "admin" String.
I have problem because if I use $account_name in SQL query nothing happens but if I use $my it works.

It might be the case that your $account_name contains html tags. Since you are viewing it in browser, it is processed as html. You need to extract the value from those tags.
Take a look at this post.
Try:
$account_name = strip_tags($account_name);
strip_tags reference

It is likely that your string contains non readable characters.
Try to strip the string using this example:
var_dump(preg_replace("/[^(\x20-\x7F)]*/", '', $account_name));
If it works it should return: string(5) "admin"

How are you setting your variables?
If you're getting it from a form like this:
<form action="/" method="get">
<input name="username" placeholder="Username">
<button>click me</button>
</form>
you should simply collect the value of the input extracting the value in php
<?php
$account_name = $_GET["username"];
echo $account_name;
?>
In some cases you might want to strip the variables strip($_GET["username"]); to remove spaces before and after the string

php javascript form with dropdown has %24 in my _GET after I submit

I am submitting a form but have some issues with the way the _GET is coming back in the URL
Here is the code:
index.php/search?stmindate=2013-04-01&stmaxdate=2013-05-31&%24comname=teststring
As you can see, between 2013-05-31 and comname I get &%24
when I try and get it on the other side it wont come back as "teststring" and I assume it's because of this:
<form action="http://<?=$_SERVER["SERVER_NAME"]?>/index.php/search" method="GET">
By Start Date:<br/>
Min Date:<?= date_input("stmindate", $stmindate, true) ?>
Max Date:<?= date_input("stmaxdate", $stmaxdate, true) ?>
<select name="$comname">
<option value="all">All</option>
<?
for ($scan = 0; $scan < count($Companies); $scan++) {
$ty = $Companies[$scan]['name'];
$sel = "";
echo "<option $sel value=\"$ty\">$ty</option>".PHP_EOL;
}
?>
</select>
<input type="submit" value="Submit">
</form>

See your <select name="$comname">. You want to take the dollar sign out. %24 is a URL-friendly way of passing that $. Something that I assume you're not wanting to do.

http://www.obkb.com/dcljr/charstxt.html
%24 is a dollar sign. It is encoding that into the url string, you need to decode the url to use it, although it seems unlikely you would want to have a $ sign in your URL anyway.

Certain characters get encoded for use in a URL. You just need to use urldecode() to convert them back.

HTML Special characters in DB and echo back in input

Morning,
I have created a small form to store some information to a database.
I have magic_quotes_gpc turned off on my server.
If i enter a " or a £ sign in the box is stores into the database without a worry.
When i echo it back with php it displays, but if i use the value in an input form field the " close the value field.
<input type="text" name="variable" value="<?php echo $row[variable]; ?>" />
I have now used htmlspecialchars around the input value and it works.
<input type="text" name="variable" value="<?php echo htmlspecialchars($row[variable]); ?>" />
But i have looked at open cart source as a reference and they do not use htmlspecialchars but store the data in a different way.
I tried using the urlencodes method they have used :
urlencode(html_entity_decode($_POST[variable],ENT_QUOTES, 'UTF-8'));
but this seems to store as a lot of numbers and + signs which did not display back correctly.
I would rather encode the update database instead of using the method i am with htmlspecialschars.
But not quite sure which way would be best?
Thank You

you may use
htmlentities() function in php

Perhaps try mysqli_real_escape_string($dblink, $string) instead of htmlspecialchars

For storing the HTML Character change the charters and then store them:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
To get back the correct HTML Character do the decoding as:
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
For more information refer to http://www.php.net/manual/en/function.htmlspecialchars.php

PHP pass variable through URL

I understand how a PHP URL works - I think ... but I'm having problems getting the actual value of the variable to be passed in the example below.
Example
Note: I am adding the below form into a data cell (as part of a table being read via PHP).
$currentrowid = 1;
echo '<td>
<div class="editdelete">
<form action="phpindex.php?page=edit&thisrow=<?php echo $currentrowid;?>" method="post">
<input type="submit" value="Edit" >
</form>
</div>
</td>';
... Some other section of code to read the URL output by the form above:
$val = $_POST['thisrow'];
echo "the value is: " .$val; //Outputs "$currentrowid"
So, as you can see the code returns the actual name of the variable being passed, NOT the value of the variable being passed.
Any ideas here?

Since you are already within a PHP block, you should not wrap your variable within <?php ... ?>. This will give you an error.
To make this work, you can choose 1 of 2 options:
1) String Concatenation:
echo '... <form action="phpindex.php?page=edit&thisrow='.$currentrowid.'" method="post"> ...';
2) Wrap your string in " (double quotes) instead of ' (single quotes):
echo "... <form action=\"phpindex.php?page=edit&thisrow=$currentrowid\" method=\"post\"> ...";
Note that the second method forces you to escape all the double quotes inside of your string.

2 point.
<form action="index.php?thisrow=<?php echo $currentrowid ?>"
method="post">
You should use $_POST not $_GET to get the post value.

As what was answered above,
<form action="index.php?thisrow=<?php echo $currentrowid; ?>" method="post">
is correct.
The reason behind this is you are passing HTML and you have to use an echo from php to output to the html. Otherwise you just get exactly what you put, which is $currentrowid.

Not the easiest, but a quick way to solve your problem. Change your form method to get method="get">, then
$val = $_GET['thisrow'];