Jump to content

Double-quotation Mark In Db Data Stops Input Value Early

son

By son
in PHP

Recommended Posts

son Dedicated Member

son

Posted
Posted

I was working on an issue on a product update form that shows for each input field the currently stored values in database. For some products the current name would just not show in form. I discovered now the reason. The product names that do not show in input field (they are stored ok in database) include a "-sign which ends the value attribute of input. As the user should be free to use either ' or " I need to find a solution that a "-sign in product name does not infringe with display of product name. Is this possible? Or do I need to restrict user to not use the "-symbol?The code that gets data from database is:

if (!empty($row['product']))	  		{   		$product_echo = $row['product'];		}			else 		{		$product_echo = '';		}

The input is:

<input type="text" name="product" id="product" size="56" maxlength="40" value="<?php echo $product_echo; ?>" />

Thanks,Son

Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
The actual function you should probably try is htmlspecialchars().
I see what you mean, but I am still not sure if that is the way to go. The value being displayed is also going back into database when form is updated. I do not want to infringe on the data to be stored in db if you know what I mean... Would that still the way to do it?Son
Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
You can always operate on the data after you retrieve it.
I tried htmlspecialchars and htmlentities and both just cause problems with the display of other symbols (which work fine as it is). It is really only the double quotation marks that cause havoc. I am working on a str_replace solution as:
// Deal with problematic characters$issues   = array('’', '“', "”", '"');$replacements = array("'", '"', '"', "''");

but is seems just not possible to use single quotation marks twice in replacements array (works fine to replace double with a single set of quotation marks). On website is looks the same to have two single quotation marks... Do you know why this does not work? If I could make it work that is all I need...SonReason for edit:Forgot to say the first three replacements are for Word copy/paste issues, the third is my current issue...

Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
There's no problem with replacing a double quote with two single quotes, the problem must be somewhere else.
But this does not make sense as:
$issues = array('’', '“', "”", '"');$replacements = array("'", '"', '"', "'");

or 

$issues = array('’', '“', "”", '"');$replacements = array("'", '"', '"', "^");

does work without a fault. I tested those two without any problem... Is there something wrong in my $replacements array for the single quotaton marks?Son

Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

Are you only testing the replacement or do you assume the replacement is not working because something else fails? Have you tried something like this:

<?php$issues   = array('’', '“', "”", '"');$replacements = array("'", '"', '"', "''");$str = 'A string with characters to replace: ’ “ ” "quoted"';echo str_replace($issues, $replacements, $str);?>

Like I said, the replacement works, if you're seeing a problem it's not with the replacement.

Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
Are you only testing the replacement or do you assume the replacement is not working because something else fails? Have you tried something like this:
		if (!isset($_POST['product']) OR empty($_POST['product']))		{		$product = FALSE;		$errors['product'] = 'Product';			} 		else			{			$product = escape_data($_POST['product']);		$product = str_replace($issues, $replacements, $product);		$product_echo = $_POST['product'];		}

The input field is as:<input type="text" name="product" id="product" size="56" maxlength="40" value="<?php echo $product_echo; ?>" />Is something wrong with this bit?Son

Link to comment
Share on other sites
Synook w3schools Guru

Synook

Posted
Posted

Well, you are storing the converted string in $product, but then you assign $_POST['product'] to $product_echo…

Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

I'm not sure specifically what problems you're seeing, but I don't see any obvious errors with that code. There may be an issue with whatever the escape_data function does, or you may want to escape the data after replacing instead of before. Generally the last thing you do is escape.

Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
I'm not sure specifically what problems you're seeing, but I don't see any obvious errors with that code. There may be an issue with whatever the escape_data function does, or you may want to escape the data after replacing instead of before. Generally the last thing you do is escape.
It is the query now, I use single quotation marks in there...
$query2 = "UPDATE products SET product = '$product', product2 = '$product2', parent_id = '$range', description = '$description', meta_title = '$meta_title', meta_keywords = '$meta_keywords', meta_description = '$meta_description', code = '$code', detail = '$detail', price = '$price' WHERE product_id = $pid";

And I found that if I do not use double quotation marks around the whole query $pid won't work for query. Is it possible to use: SET product = \"$product\" and so on or is this not a good idea?Son

Link to comment
Share on other sites
justsomeguy w3schools Guru

justsomeguy

Posted
Posted

Your single quotes should be escaped in the query, are they not getting escaped? This is why you need to escape last, if you start with a double quote, then escape it, you end up with a slash then a double quote, or an escaped double quote. Then if you convert that double quote to two single quotes, you end up with a slash then two single quotes, or one escaped single quote and one unescaped single quote. That's why you need to escape last, after the data has been transformed however you want to transform it. If you escape the transformed data then you end up with two escaped single quotes instead of an unescaped one.

Link to comment
Share on other sites
son Dedicated Member

son

Posted
  • Author
Posted
Your single quotes should be escaped in the query, are they not getting escaped? This is why you need to escape last, if you start with a double quote, then escape it, you end up with a slash then a double quote, or an escaped double quote. Then if you convert that double quote to two single quotes, you end up with a slash then two single quotes, or one escaped single quote and one unescaped single quote. That's why you need to escape last, after the data has been transformed however you want to transform it. If you escape the transformed data then you end up with two escaped single quotes instead of an unescaped one.
Got you now and changed/successfully tested on one field.Many thanks for valuable input,Son
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...