Let say i have a column product name and it has value Shoe's.
When i pick that value from db and use mysql_real_escape_string and placed it in html hidden input it becomes <input type='hidden' value='Shoe\'s' id='product_name'>
When i do $('#product_name').val() it return only Shoe\ truncating the s or rest of the value after that. The jQuery is assuming an escaped single quote as a closing quote for attr value.
On solution is to use value="" (enclosed in double quotes) but what if value contains a double quote? So the problem persists.
Any help is appreciated.
Thanks!
You must not use mysql_real_escape_string for HTML output. Use the appropriate htmlspecialchars instead.
In HTML, a backslash before a quote does not mean that the quote is escaped. An escaped ' in HTML is '. That's why you use the appropriate escaping method for your output target. mysql_real_escape_string is appropriate when escaping for SQL, htmlspecialchars is appropriate when escaping for HTML.
Related
Alright, so there's still stuff I have yet to learn about PHP. I'm trying to retrieve data from a MySQLi database and it's all fine until I'm forced to choose between double quotes or single quotes breaking something. With real_escape_string, I can store string data that contains a single quote, and it just gets escaped with a backslash, but if I don't use stripslashes() when I insert it into the value attribute...
If my value attribute looks like this in the code: value="_" then double quotes within the string, trim any data after it because it seems to be interpretted as the end of the value attribute.
If my value attribute looks like this in the code: value='__' then if I don't use stripslashes(), I see the slashes in the output, and if I use stripslashes(), it's the same thing with the double quotes, but with any of the escaped single quotes within the string.
Hope this makes sense. I'm fairly tired right now, but with a few replies and questions asked for anyone who doesn't quite understand, I'm sure we can figure this out. :)
If you have to output data into html which might have special characters use htmlspecialchars
<input type="text" value="<?php echo htmlspecialchars('\'"&<>') ?>">
http://codepad.org/DxV3uq0L
http://jsfiddle.net/Uu29D/
I have some question about saving html code in mysql database
every time when I put the charter " ' " in the database it changes to " / ".
Example:
somthing like that
<p>That's my name</p>
After saving it look like this:
<p>That\'s my name</p>
what can i do?
thank u all
Use parameterized queries to escape data going into the database
Use nothing else to escape data going into the database (otherwise you will double escape which can use this problem)
Do not use mysql_real_escape_string
Do not use addslashes
etc
Do not escape data coming out of the database (since that will cause this problem)
Make sure magic quotes are disabled (since having them turned on will escape data going into and out of the database and cause this problem).
You are using addslashes like escape functions in your code.
addslashes() — Quote string with slashes - http://php.net/manual/en/function.addslashes.php
stripslashes() — Un-quotes a quoted string - http://php.net/manual/en/function.stripslashes.php
Use stripslashes to remove '\' from HTML data. Actually (') is used define string in MySql, so it ecaspe it (by putting \ in-front) in order to avoid any unintentional use.
I have a HTML form value as a PHP function: value='".$item->get_title()."' (This is in an echo statement hence the single quotes.) The problem is that if the returned title contains any quotes it breaks the value function.
Example: value="Kim Dotcom lawyer blasts US government" s "pattern of delay "e;'>
As you can see it breaks at government. There is supposed to be an apostrophe after that.
Does anyone know a fix for this?
The fix: value='".htmlspecialchars($item->get_title(), ENT_QUOTES)."'
Use htmlspecialchars to escape output not meant to be rendered as HTML:
value="'.htmlspecialchars($item->get_title(), ENT_QUOTES).'"
By default, htmlspecialchars only escapes double quotes, not single quotes. If you want to escape both (and so maintain your practice of putting HTML values in single quotes), add ENT_QUOTES as the second parameter to htmlspecialchars.
try with htmlspecialchars
htmlspecialchars($item->get_title());
try:
value='".str_replace('"', '', $item->get_title())."'
I have a string:
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'"
My problem is, the single quotes you can see in JR'S OFFICE and MFR's OFFICE are prematurely ending my string. I could switch my double quotes with single quotes and vice versa, but these are coming from user-entered values. If the user had entered a double quote, I would be in the same boat as I am now.
Any ideas on how to keep the integrity of this string while having single and double quotes throughout?
By the way, not sure if this matters for anything but - I'm putting my $departmentList string into a jQGrid to build the values for a select box.
Use addslashes to replace " with \" and ' with \'.
If you are using the input for database purpose better use mysql_real_escape_string()
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'";
$data = mysql_real_escape_string($departmentList);
What are the requirements for character escaping in the input tag's value attribute in the HTML markup?
Is it just double quotes that need to be escaped? HTML special characters as well?
I tried looking through the W3C spec, but I couldn't find any specific details on how stuff should be put into the value attribute.
I suppose it goes without saying that " should be escaped to ", but what about the others? Both escaping and not escaping seem to work just fine in all my browsers, but I don't want to pick the unstandard one and wind up with broken HTML or &amp;amp;.
Attribute values only need to have their quote marks escaped.
If the attribute uses double quotes, replace double quotes with ".
If your attribute is contained within single quotes, escape the single quotes in the string with '. Note: don't use '!
These are all valid HTML:
<input value=foo>
<input value="foo">
<input value='foo'>
Note: quotes aren't required to be valid HTML. XHTML however does require quotes. Without quotes, you can't have spaces in the attribute value.