I am trying to echo a variable that contains a ', however it broke the script. To fix this, I used addslashes();
This is my code
$row["market_hash_name"] = addslashes($row["market_hash_name"]);
echo $row["market_hash_name"];
Now this doesn't break the script, but displays a backslash. How can i not make it display a backslash before the ' without the ' breaking the script.
Edit: I understand it does not break the script, however, it prevents the rest of the jQuery echoed by the php from working properly.
You can use:
echo htmlspecialchars($row["market_hash_name"], ENT_QUOTES);
It will make sure all special characters are converted to HTML entities, so a single quote becomes '
It won't be breaking, if you are just echoing
$row = array(
'market_hash_name' => "hello'world"
);
echo $row['market_hash_name']; // outputs: hello'world
Echoing the word don't doesn't break your script and you can easily echo it when it is stored in a variable but if you want to echo a word without storing it somewhere it needs to be escaped using htmlspecialchars()
I think you have been confused with query and html output. In a query you escape a string twice. for example:
$query = 'I don\'t think so.';
^ first escape for php script
$query = 'I don\\\'t think so.';
^ second escape for mysql
it goes to mysql like this: I don\'t think so.
Also you can use different types of quotations to avoid this 2 step escaping. like:
"I don't think so.";
'I don"t think so.';
Related
PHP-Beginner here looking for help, who's been trying for a full hour now to get this working.
I have a PHP line like this:
<td>'.$row["temperature"].'</td>
And I need to add a single quote ' to the front.
So, if $row["temperature"] is e.g. 9.77 the result is '9.77
I've tried to escape the single quote with a backslash, tried using double-quotes, etc. but I just can't get it working.
Can someone tell me how to get this working?
Examples which didn't work:
<td>'\'.$row["temperature"].'</td>
<td>"\'.$row["temperature"]."</td> //this gives me everything including the double quotes
<td>"\'.$row['temperature']."</td>
and many (failures) more...
Assuming that your first example is part of a longer expression like this:
echo 'Some more HTML markup <td>'.$row["temperature"].'</td> More Markup here too';
Then you're putting the leading ' in the wrong place. Include it in the preceding string:
$row = ['temperature'=>3];
echo 'Some more HTML markup <td>\''.$row["temperature"].'</td> More Markup here too';
// ^^ insert here
Output:
Some more HTML markup <td>'3</td> More Markup here too
See https://3v4l.org/o82U9
I am using PHP/mysqli to read in comments, but various comments in the table have either a single quote or a double quote.
I am storing the comments in a data-attribute. Using the Chrome console, I can see where the quote is throwing the whole code out of whack.
<?php
echo "<td><a href='' class='comment' data-toggle='modal' data-comment='".htmlentities($row[comment])."'>" . $row[partner_name] . "</a></td>";
?>
As you can see in the code above, I tried to use htmlentities. I also tried addslashes and a combination of the two.
Either way, I still can't get the comment to display properly because of the quote inside the mysql table.
Is there another PHP function that I can use to fix this?
Directly above is a screen shot from the Chrome console. Right after the words POTENTIAL 53 there is a single quote that is throwing my code off. All the other orange text is being read as HTML when it's supposed to be part of the comment.
There has to be a way to read the single quote as part of the string.
Pass the flag, ENT_QUOTES, to your htmlentities function. See http://php.net/htmlentities. This will replace quotes with entified quote and prevent it from breaking out of the data-comment attribute.
Well, there are two problems:
You have to encode stuff, especially quotes:
$text = htmlentities($value, ENT_QUOTES);
The title attribute does not work with newlines, so you will have to deal that. Something like this should do the job:
$text = preg_replace('/\r?\n/', '#xA;', $text);
Try escaping the quotes in your data. Something to this affect:
$pattern = "/\"|\'/";
$replace = '\\\"';
$subject = $row[comment];
$rowComment = preg_filter($pattern, $replace, $subject);
*Tip - You can also filter the data before storing it.
Description: echo $rowComment will produce a string with all quotes escaped;
I am going through someone else's code for a very old site and it has a lot of lines like this:
echo '';
I am not familiar with PHP, but having quickly gone through a syntax tutorial, it seems that this command would be printing the contents of the single quotes. However, the single quotes are empty, and there are LOTS of instances like these.
What is the purpose of having these lines, and how did they end up in the code?
You are right, they just print out empty string. I can only guess as to how they got into your code but it is surely safe to delete them.
Single or double quotes are used to denote strings, so with:
echo '';
You are printing empty string essentially nothing.
the only idea i can think of choosing '' vs "" is:
echo '"'; // print "
echo "'"; // print '
I'm trying to write a php script that will generate a variety of new php pages, but I'm finding that I'm unable to write a square bracket out. When I escape a square bracket in the same way as other characters (ie [ ) the leading \ is written to the new page, which results in code that doesnt work:
echo $row\['Value'\];
When I do not escape the bracket, the page fails, and the same thing happens when I try and substitute asc(91).
I have seen other examples that use code like $row->Value, but I tried that and it didn't work. If anyone can help me output a square bracket, or knows of another method by which I can fetch a value from a row without using one at all, I'd be very grateful
Your echo would appear as an array reference to PHP. Try this:
echo $row, "['Value'];"
assuming that you want the value of $row to be output, and not the literal text $row. If you want the literal text, (e.g. you're trying to build a PHP script on the fly), then either of these should do the trick:
echo '$row[\'Value\'];';
echo "\$row['Value'];";
How about this:
echo sprintf("\$row['%s']", $value); // either scenario
echo sprintf("%s['Value']", $row);
Keep in mind that PHP automatically parses double quote strings ("), and tries to find variabels within. So, the bracket is probably not the issue, the $ variable prefix (coupled with the parser) probably is.
There are a couple other answers that work but I want to elaborate:
The "echo" construct can take a variable or a string. You can't echo a string to the screen in the same way that you do a variable. For example: echo hello; will not behave as you might think. You need to include it in quotes such as echo "hello";
You can also use single quotes. Single quotes and double quotes behave differently. For example:
$foo = "bar";
echo $foo;
echo "$foo";
echo '$foo';
The first will echo "bar", the second will also echo "bar" because PHP looks for variables in double quotes strings. The third will echo '$foo' because PHP does not try to do variable substitution in a single quoted string. So you can do (as #mark-b said):
echo "\$row['Value']";
or
echo '$row[\'Value\']';
Now, that $row->value syntax that you saw, is object notation. It is assuming that $row is an object and not an array. Objects are a whole other ballgame.
You're talking about code generation in your question, so I expect you also want to output the 'echo' statement in the generated code. Assuming you want to save the output into a file so it can be easily executed, you want to use something like fwrite or file_put_contents, I expect. You need to think in terms of strings, which can be a bit tricky when you're seeing code.
Something like this should work:
fwrite($fp, 'echo $row[\'Value\'];'."\n");
Note how the single and double quotes work. \n is resolved to a newline, but anything in the single quotes is treated as a string and is printed as is, apart from \', which should print a literal single quote in the output file.
Hope this helps.
I have built a search engine using php and mysql.
Problem:
When I submit a word with an apostrophe in it and return the value to the text field using $_GET the apostrophe has been replaced with a backslash and all characters after the apostrophe are missing.
Example:
Submitted Words: Just can't get enough
Returned Value (Using $_GET): Just can\
Also the url comes up like this:search=just+can%27t+get+enough
As you can see the ' has been replaced with a \ and get enough is missing.
Question:
Does anybody know what causes this to happen and what is the solution to fix this problem?
The code:
http://tinypaste.com/11d62
If you're running PHP version less than 5.3.0, the slash might be added by the Magic Quotes which you can turn off in the .ini file.
From your description of "value to the text field" I speculate you have some output code like this:
Redisplay
<input value='<?=$_GET['search']?>'>
In that case the contained single quote will terminate the html attribute. And anything behind the single quote is simply garbage to the browser. In this case applying htmlspecialchars to the output helps.
(The backslash is likely due to magic_quotes or mysql_*_escape before outputting the text. I doubt the question describes a database error here.)
Update: It seems it's indeed an output problem here:
echo "<a href='searchmusic.php?search=$search&s=$next'>Next</a>";
Regardless of if you use single or double quotes you would need:
echo "<a href='searchmusic.php?search="
. htmlspecialchars(stripslashes($search))
. "&s=$next'>Next</a>";
(Notice that using stripslashes is a workaround here. You should preserve the original search text, or disable the magic_quotes rather.)
Okay I forgot something crucial. htmlspecialchars needs the ENT_QUOTES parameter - always, and in your case particularly:
// prepare for later output:
$search = $_GET['search'];
$html_search = htmlspecialchars(stripslashes($search), ENT_QUOTES);
And then use that whereever you wanted to display $search before:
echo "<a href='searchmusic.php?search=$html_search&s=$next'>Next</a>";
Single quotes are important in PHP and MySQL.
A single quote is a delimeter for a string in PHP, for example:
$str = 'my string';
If you want to include a literal quote inside a string you must tell PHP that the quote is not the end of the string. It is escaped with the backslash, for example:
$str = 'my string with a quote \' inside it';
See PHP Strings for more on this.
MySQL operates in a similar way. An example query might be:
$username = 'andyb';
$quert = "SELECT * FROM users WHERE user_name = '$username'";
The single quote delimits the string parameter. If the $username included a single quote, this would cause the query to end prematurely. Correctly escaping parameters is an important concept to be familiar with as it is one attack vector for breaking into a database - see SQL Injection for more information.
One way to handle this escaping is with mysql_real_escape_string().