Alright, so there's still stuff I have yet to learn about PHP. I'm trying to retrieve data from a MySQLi database and it's all fine until I'm forced to choose between double quotes or single quotes breaking something. With real_escape_string, I can store string data that contains a single quote, and it just gets escaped with a backslash, but if I don't use stripslashes() when I insert it into the value attribute...
If my value attribute looks like this in the code: value="_" then double quotes within the string, trim any data after it because it seems to be interpretted as the end of the value attribute.
If my value attribute looks like this in the code: value='__' then if I don't use stripslashes(), I see the slashes in the output, and if I use stripslashes(), it's the same thing with the double quotes, but with any of the escaped single quotes within the string.
Hope this makes sense. I'm fairly tired right now, but with a few replies and questions asked for anyone who doesn't quite understand, I'm sure we can figure this out. :)
If you have to output data into html which might have special characters use htmlspecialchars
<input type="text" value="<?php echo htmlspecialchars('\'"&<>') ?>">
http://codepad.org/DxV3uq0L
http://jsfiddle.net/Uu29D/
Related
I have a hint echo'd however, i have a issue with " and ' i can echo numerical values to the string, but not words..
$hint='<a href="javascript:void(0)"
onclick="javascript:document.contactForm.musicDetailTitle4.value=5;
document.contactForm.musicDetailArtist4.value=foo;">fill form</a>'.
5 works but foo doesn't works.
UPDATE
Still not getting an output
$hint='fill form'.
Whole Code
echo $hint='fill form'.$artist."-".$title."-".$id."</a>";
Output is...
fill formTomato Soup-Heinz-0001fill formTomato Soup-Heinz-0001
You need to escape the quotes
$hint='fill form'.
It doesn't have much to do with PHP but rather JavaScript.
When passing a numeric value you just pass the number itself, but when passing strings you must wrap them in quotations otherwise the compiler will mistake "foo" for a variable named foo which may or may not exist.
As others mentioned, all you have to do is wrap your string like so:
\'foo\'
The slashes are because you don't want to close your echo which was also opened using a single quote, so you need to escape the character so when it's echoed to the user it will become 'foo'.
Try this -
$hint='fill form'.
When declaring a string value you must add quotes, and when adding it in this way you must escape those quotes using the \ key.
We have a code like this:
echo '<input type="text" name="myInput" value="Double " Quotes" />';
Absolutely it doesn't work because the quote after Double ends the value.
We can fix it by using single quotes instead of double ones.
echo '<input type="text" name="myInput" value=\'Double " Quotes\' />';
Now I wanna use both single and double quotes as the value. It should outputs She said:"I don't know."
Is there a way to fix it WITHOUT using HTML entities (Like "), htmlentities() or similar functions?
Is there a way to fix it WITHOUT using HTML entities (Like "), htmlentities() or similar functions?
No, there is not. The double quote (") has special meaning inside a HTML attribute. If you want to put it into an attribute value, you must (this is not a true must but a good rule of thumb. It's a must if you use attributes delimited by double-quotes as you do in your question) write it as its entity ". There is no way around it.
Actually even <tag attr='this"'> is not wrong HTML, too and most browsers can deal with that. However it doesn't help you because you're looking for both quotes - single and double - and one of these always in HTML is a delimiter of the attribute value - if you need spaces inside the attribute value (as you do).
However, do not worry about that. It works, and you can express everything you like with that, including the combination of quotes you have.
And actually PHP is there for you to take the burden of "escaping" all those characters just with the htmlspecialchars method doing all the work for you. Inside a PHP string you have the original text - with single and double quotes as you see fit - verbatim.
$myString = 'She said: "I don\'t know."';
printf('<input type="text" name="myInput" value="%s" />'
, htmlspecialchars($myString));
Just a shortened example that should demonstrate how this works. Online demo.
To address the question in the title, there is no problem with using both " and ' in an attribute value. The problem arises in linearization of values, i.r. writing them in HTML markup (as opposite to generating them with client-side JavaScript). Then, if the value contains both " and ', either of them needs to be escaped, depending on which one you use as value delimiter.
You do not need to use entity references, though. The character references " and ' (or the equivalent decimal references) can be used, too.
In the case of the string
She said: "I don't know."
the correct English spelling is
She said: “I don’t know.”
Using the correct punctuation marks, no markup problem arises, since you can use the Ascii quotation mark " or the Ascii apostrophe as delimiter. They are meant for use in computer languages, not in human languages.
I'm using codeigniter, and what I do is basically:
$val = $this->db->call_function('real_escape_string', $this->input->post('name'));
this is all I do on data before putting into database. And when someone enters value like O'hara, in database it will appear like O\'hara
So, I guess I can string slashes on output, but is this usual way of escaping and storing data in database?
SOLVED
Active Records escapes the query, so I do double escaping, with 'real_escape_string' function as well
So I guess I don't need to use real_escape_string at all, active records does this
The '\' is called an escape character and must be used so the next character after it (in your case ') won't interfere with the SQL statement. However, if you're using CI, it should take care of all of this for you. There's an 'HTML helper' that I believe you can use to format or take out the slashes on outputted text. Even then, but I could be wrong, when outputting values from a DB in CI, the slashes will automatically be stripped.
Escaping quotes and special characters is both regular practice and expected for record storage as it helps to ensure that your code can be accurately stored and extracted.
Escaping the strings for the SQL query is so that you can get the actual values into the database.
The value in the SQL query will look like O\'hara but the value that ends up in the database is O'hara.
So, you don't have to do anything at all when you display the value. Except escaping it for the environment where you display it of course. If it's displayed in a HTML document, you would HTML encode it. This will not change the apostrope ('), but it will change other characters, like < and >.
use directly
$val = real_escape_string($this->input->post('name'));
I have a HTML form value as a PHP function: value='".$item->get_title()."' (This is in an echo statement hence the single quotes.) The problem is that if the returned title contains any quotes it breaks the value function.
Example: value="Kim Dotcom lawyer blasts US government" s "pattern of delay "e;'>
As you can see it breaks at government. There is supposed to be an apostrophe after that.
Does anyone know a fix for this?
The fix: value='".htmlspecialchars($item->get_title(), ENT_QUOTES)."'
Use htmlspecialchars to escape output not meant to be rendered as HTML:
value="'.htmlspecialchars($item->get_title(), ENT_QUOTES).'"
By default, htmlspecialchars only escapes double quotes, not single quotes. If you want to escape both (and so maintain your practice of putting HTML values in single quotes), add ENT_QUOTES as the second parameter to htmlspecialchars.
try with htmlspecialchars
htmlspecialchars($item->get_title());
try:
value='".str_replace('"', '', $item->get_title())."'
I query my mySql database table and retrieve text strings that look like this:
This is a piece of a bronze artifact from the 'Bronze Age' -- it's in outstanding shape.
His amusing comment on the 3rd-century clay bowl: "Wow, she's a real piece!"
It's no secret that you 'don't mishandle old parchment artifacts, they're "very" fragile' -- yet it still happens.
THE PROBLEM -- I use php variables to hold the above strings read from the database, and use the PHP variables in my heredoc form. And I saw right away that a string got truncated when the first space in the string was encountered -- the form only showed text up to the first space.
So I put single quotes around my PHP variables in the heredoc form (see below).
Now I get truncation when the string that came from the database has single quotes.
I can put quotes around my php variables but I'm getting truncations of the text strings when single quotes, double quotes
and if I don't quote the PHP variable in the heredoc -- a space in the string truncates the string from that point on.
I'm using PHP and here is the code that gets data from the mySql query result, stores the database data into PHP variables, then uses them in a heredoc:
$row = mysql_fetch_row($result);
//var_dump($row); // the dump proves that the full string comes
// out of the database, with spaces, single and double quotes
$descriptionOfArtifact = $row[0];
$commentsAboutTheDiggingSite = $row[1];
$expertRecommendationsForRestoring = $row[2];
// output the next row from the Artifacts table...
echo <<< NEXT_ROW_HEREDOC
<input type="text" id="Description"
name="descrip" value='$descriptionOfArtifact' readonly="readonly"></input>
<input type="text" id="Comments"
name="comments" value='$commentsAboutTheDiggingSite' readonly="readonly"></input>
<input type="text" id="Experts"
name="experts" value='$expertRecommendationsForRestoring' readonly="readonly"></input>
NEXT_ROW_HEREDOC;
I need this form to display the full text string that is read from the database and stored in the above PHP variables. I thought the single quotes around the variable names would do it but I think the heredoc is messing that up (somehow).
So in a heredoc, how can I use PHP variables and be able to see:
single quotes
double quotes
spaces
html tags
any printable character, really
in a heredoc form?
You have a space between the <<< and the end-of-text keyword. That's probably causing the issue.
Also, call htmlspecialchars on $row[0], $row[1] and $row[2] when you're assigning them to variables, and use double-quotes on your value="..." attribute.
In simple Html code you need to show your value with double quote "" and if you are using php to print some html code through ECHO you need to use single quote to show you value in input box