LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 02-27-2005, 01:05 PM   #1
opioid
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Ubuntu
Posts: 124

Rep: Reputation: 15
[SOLVED]: php addslashes, magic quotes, etc etc?


Hello. My server has php magic quotes turned on. When I add a record to a MySQL row, like "britney's favorite color is pink" and then fetch the value of the row into a text input with mysql SELECT, the only part of the data that comes back is "britney" -- it always cuts off at the apostrophe, single-quote, and other symbols like "&".

I have tried combinations of addslashes, stripslashes, etc, to no avail. Can anyone tell me how to get php to populate the _entire_ row data into the text input?

Thanks!
Noah


edit: 2.5 hours later -- still unable to get this to work -- any suggestions? pulling my hair out

Last edited by opioid; 03-01-2005 at 01:06 PM.
 
Old 02-28-2005, 06:41 AM   #2
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,230

Rep: Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724
Did you try mysql_real_escape_string() to encode string to the field then
stripslashes() to decode the string from the field ?
 
Old 02-28-2005, 05:09 PM   #3
opioid
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Ubuntu
Posts: 124

Original Poster
Rep: Reputation: 15
hey

Thanks for the reply! I am killing myself over this... and unfortunately, it's still not working. I have tried many permutations of addslashes and stripslashes but that doesn't seem to work. I can get MySQL into the database, as either escaped or unescaped strings.

For example, I can insert either "britney\'s tight ass" or "britney's tight ass"

But whenever I fetch the info back into a text input with a while loop and call from the resulting array, I get only "britney" either way.

Any other suggestions?

Thanks!
 
Old 03-01-2005, 12:01 PM   #4
ochazuke
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Rep: Reputation: 0
htmlspecialchars($name)

I found your message while looking for an answer to the same problem.

I found http://lists.evolt.org/archive/Week-...19/126816.html

It gives the answer: run the function htmlspecialchars() on the string that you want to populate your text field and you're golden.

Like this:

MySQL field contents: Brittney's sweet eyes are "awesome" & <cool>
That goes into the variable $popsingerstuff
then do this...

$popsingerstuff = htmlspecialchars($popsingerstuff);

Then that goes in the text input tag in html...

<input type="text" name="aname" value="<?php echo $popsingerstuff; ?>"size="60" />

You could do it all within the tag as well by inserting the htmlspecialchars function between the opening php tag and the echo command above...

<input type="text" name="aname" value="<?php
$popsingerstuff = htmlspecialchars($popsingerstuff); echo $popsingerstuff; ?>"size="60" />

Bye.

Last edited by ochazuke; 03-01-2005 at 12:08 PM.
 
Old 03-01-2005, 12:46 PM   #5
opioid
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Ubuntu
Posts: 124

Original Poster
Rep: Reputation: 15
Lightbulb just me being a dumbass

actually that probly does work, but this is easier: I found it concurrently, and thank you for the help!

http://www.dbforums.com/t1117079.html

google and LQ to the rescue !
 
Old 03-01-2005, 01:22 PM   #6
ochazuke
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Rep: Reputation: 0
I'm uneasy

It works alright, but I wonder if it will work outside of text areas. If you use both methods and compare the source code, you'll see that using the function outputs html-compliant code, but the concatenater outputs literal quotes, tags and other special characters.

Might that cause problems? Might it allow the insertion of code into your web pages? (one might not mind that, but it might open a door to malicious code inserted by a user.)

Last edited by ochazuke; 03-01-2005 at 01:23 PM.
 
Old 03-01-2005, 01:43 PM   #7
ochazuke
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Rep: Reputation: 0
Yes, the special characters were parsed by my browser when the variable was output in a page.

So, I'll use the htmlspecialchars function to prevent evil code showing up on my web pages.

Also, I found another function (in the book 'Beginning PHP, Apache, MySQL Web Development by wrox publishers) which will preserve the line breaks. It's nl2br().

So, you could do this:

$user_entered_stuff = nl2br(htmlspecialchars($user_entered_stuff));
echo $user_entered_stuff;

What do you think.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using single quotes vs double quotes in PHP strings vharishankar Programming 6 07-11-2005 11:41 AM
PostNuke install, magic quotes problem HippieCat Linux - Software 0 02-21-2005 04:06 PM
HTMLDOC, Magic Quotes and Red Hat 9 surfinrhino Linux - Software 0 11-25-2004 05:24 AM
Trouble on PHP & MySQL Quotes Gerardoj Programming 0 05-26-2004 09:48 PM
Replace a string including simple quotes. philipina Programming 4 03-18-2004 08:01 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 07:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration