simple: php addslashes, magic quotes, etc etc?

opioid · 02-27-2005, 01:05 PM

Hello. My server has php magic quotes turned on. When I add a record to a MySQL row, like "britney's favorite color is pink" and then fetch the value of the row into a text input with mysql SELECT, the only part of the data that comes back is "britney" -- it always cuts off at the apostrophe, single-quote, and other symbols like "&".

I have tried combinations of addslashes, stripslashes, etc, to no avail. Can anyone tell me how to get php to populate the _entire_ row data into the text input?

Thanks!
Noah

edit: 2.5 hours later -- still unable to get this to work -- any suggestions? pulling my hair out

keefaz · 02-28-2005, 06:41 AM

Did you try mysql_real_escape_string() to encode string to the field then
stripslashes() to decode the string from the field ?

opioid · 02-28-2005, 05:09 PM

Thanks for the reply! I am killing myself over this... and unfortunately, it's still not working. I have tried many permutations of addslashes and stripslashes but that doesn't seem to work. I can get MySQL into the database, as either escaped or unescaped strings.

For example, I can insert either "britney\'s tight ass" or "britney's tight ass"

But whenever I fetch the info back into a text input with a while loop and call from the resulting array, I get only "britney" either way.

Any other suggestions?

Thanks!

ochazuke · 03-01-2005, 12:01 PM

I found your message while looking for an answer to the same problem.

I found http://lists.evolt.org/archive/Week-...19/126816.html

It gives the answer: run the function htmlspecialchars() on the string that you want to populate your text field and you're golden.

Like this:

MySQL field contents: Brittney's sweet eyes are "awesome" & <cool>
That goes into the variable $popsingerstuff
then do this...

$popsingerstuff = htmlspecialchars($popsingerstuff);

Then that goes in the text input tag in html...

<input type="text" name="aname" value="<?php echo $popsingerstuff; ?>"size="60" />

You could do it all within the tag as well by inserting the htmlspecialchars function between the opening php tag and the echo command above...

<input type="text" name="aname" value="<?php
$popsingerstuff = htmlspecialchars($popsingerstuff); echo $popsingerstuff; ?>"size="60" />

Bye.

opioid · 03-01-2005, 12:46 PM

actually that probly does work, but this is easier: I found it concurrently, and thank you for the help!

http://www.dbforums.com/t1117079.html

google and LQ to the rescue

!

ochazuke · 03-01-2005, 01:22 PM

It works alright, but I wonder if it will work outside of text areas. If you use both methods and compare the source code, you'll see that using the function outputs html-compliant code, but the concatenater outputs literal quotes, tags and other special characters.

Might that cause problems? Might it allow the insertion of code into your web pages? (one might not mind that, but it might open a door to malicious code inserted by a user.)

ochazuke · 03-01-2005, 01:43 PM

Yes, the special characters were parsed by my browser when the variable was output in a page.

So, I'll use the htmlspecialchars function to prevent evil code showing up on my web pages.

Also, I found another function (in the book 'Beginning PHP, Apache, MySQL Web Development by wrox publishers) which will preserve the line breaks. It's nl2br().

So, you could do this:

$user_entered_stuff = nl2br(htmlspecialchars($user_entered_stuff));
echo $user_entered_stuff;

What do you think.