TRouble with quotes and double quotes
Moderator: General Moderators
- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
TRouble with quotes and double quotes
I am trying to handle quotes and double quotes in user inputted data.
I am testing using the following string "It's 1""
This data is escaped using pg_escape_string and saved in a postgresql db. This works fine.
Then when I pull the data back out of the database it returns as "it's 1\"" which displays correctly.
My problem comes when I try to put the variable into a hidden input using a print statement to pass the value to a another page.
Can anybody tell me how to do this?
I am testing using the following string "It's 1""
This data is escaped using pg_escape_string and saved in a postgresql db. This works fine.
Then when I pull the data back out of the database it returns as "it's 1\"" which displays correctly.
My problem comes when I try to put the variable into a hidden input using a print statement to pass the value to a another page.
Can anybody tell me how to do this?
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: TRouble with quotes and double quotes
For putting values into HTML, use htmlentities() or htmlspecialchars(),
(#10850)
Re: TRouble with quotes and double quotes
It's a little confusing but it sounds like you have the magic_quotes setting enabled in your php.ini? Turn it off and restart your web server.
- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
I tried this
But ended up with the html showing up in my page
Code: Select all
$name=str_replace("'","''",$name);
$nameinput=htmlspecialchars("<input type=hidden name='name' value='".$name."'>");
echo $nameinput;
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: TRouble with quotes and double quotes
Yep, that's exactly what that code would do. Try:
Code: Select all
$nameinput="<input type=hidden name='name' value='".htmlspecialchars($name)."'>";
// or
$nameinput="<input type=hidden name='name' value='".urlencode($name)."'>";(#10850)
- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
Getting there - Using urlencode i got an input that looks like this
However, when I used urldecode on the next page I get
it''s 1
I can convert the '' but have lost the double quote at the end
Code: Select all
<input type="hidden" value="it%27%27s+1%22" name="name">
it''s 1
I can convert the '' but have lost the double quote at the end
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: TRouble with quotes and double quotes
Post the code you use to display it on the next page (actually the code on both pages would help). And why the double single quotes now?
(#10850)
- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
Here is the code to create the hidden input on the first page
here's the code to display on the second page
Code: Select all
$name="it's 1\""
$name=str_replace("'","''",$name);
$nameinput="<input type=hidden name='name' value='".htmlspecialchars($name)."'>";
echo $nameinput;
Code: Select all
print(" value=".'"'.urldecode($_POST['name']).'"');
Re: TRouble with quotes and double quotes
Code: Select all
$name=str_replace("'","''",$name);- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
Yeah I don't need to do that any more. Took it out, but still get the same result.
Re: TRouble with quotes and double quotes
I would solve this by substituting a string value for the quotes and then replacing the quotes back in when they need to be displayed. There is no way I know of to process an escape and store it as [ \" ] the escape \ will be lost. Depending on how you intend on using the value of " or ' you may want to return the value to dec, hex, oct or html respectively instead of the string value " or '. And I always make it a practice to insert all data into a database table as hex ( %22 ) an easy way is to use urlencode() and urldecode() to return values. This will ensure that no illegal values are passed into the database. If you need to give a variable a value of HTML code a easy way to do this without using escaping is by writing the value in hex and decoding it into the variable:
I hope this gives you some ideas and helps.
Code: Select all
$foo = urldecode("%3Cinput+type%3D%22hidden%22+name%3D%22name%22+value%3D%22".$bar."%22%3E");
$foo now contains <input type="hidden" name="name" value="$bar">
substitution will also work:
if $foo contains <input type="hidden" name="name" value='$bar'>
$foo = str_replace('"', '#d_quote', $foo, $true);
$foo contains <input type=#d_quotehidden#d_quote name=#d_quotename#d_quote value=#d_quote$bar#d_quote>
$foo = str_replace("'", '#s_quote', $foo, $true);
$foo contains <input type=#d_quotehidden#d_quote name=#d_quotename#d_quote value=#s_quote$bar#s_quote>
revert values back to string " and ' values:
$foo = str_replace('#d_quote', '"', $foo, $true);
$foo = str_replace('#s_quote', "'", $foo, $true);
$foo now contains <input type="hidden" name="name" value='$bar'>- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
Ok I am using the substitution method - now the value posted to the second page is "its_quotes 1d_quote"
Now I can't figure out how to display it in an input on this page
Now I can't figure out how to display it in an input on this page
Re: TRouble with quotes and double quotes
Please post your PHP code and explain the required result you want it to produce and I will help you figure it out.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: TRouble with quotes and double quotes
Try this. See what is displayed and view source to see the actual value.
test.php
test.php
Code: Select all
<form action="test.php" method="post">
<?php
if (isset($_POST['name'])) {
echo "name=".$_POST['name'].".<br>";
} else {
$name="it's 1\"";
$nameinput='<input type="hidden" name="name" value="'.htmlspecialchars($name).'">';
echo $nameinput;
}
?>
<input type="submit" name="go" value="Submit">
</form>(#10850)
- barb woolums
- Forum Contributor
- Posts: 134
- Joined: Sun Feb 08, 2009 9:52 pm
Re: TRouble with quotes and double quotes
Yay working now - thanks everyone!!!