Page 1 of 2
TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 7:49 pm
by barb woolums
I am trying to handle quotes and double quotes in user inputted data.
I am testing using the following string "It's 1""
This data is escaped using pg_escape_string and saved in a postgresql db. This works fine.
Then when I pull the data back out of the database it returns as "it's 1\"" which displays correctly.
My problem comes when I try to put the variable into a hidden input using a print statement to pass the value to a another page.
Can anybody tell me how to do this?
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 8:19 pm
by Christopher
For putting values into HTML, use htmlentities() or htmlspecialchars(),
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 8:30 pm
by requinix
It's a little confusing but it sounds like you have the magic_quotes setting enabled in your php.ini? Turn it off and restart your web server.
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 8:45 pm
by barb woolums
I tried this
Code: Select all
$name=str_replace("'","''",$name);
$nameinput=htmlspecialchars("<input type=hidden name='name' value='".$name."'>");
echo $nameinput;
But ended up with the html showing up in my page
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 9:20 pm
by Christopher
Yep, that's exactly what that code would do. Try:
Code: Select all
$nameinput="<input type=hidden name='name' value='".htmlspecialchars($name)."'>";
// or
$nameinput="<input type=hidden name='name' value='".urlencode($name)."'>";
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 9:34 pm
by barb woolums
Getting there - Using urlencode i got an input that looks like this
Code: Select all
<input type="hidden" value="it%27%27s+1%22" name="name">
However, when I used urldecode on the next page I get
it''s 1
I can convert the '' but have lost the double quote at the end
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 11:34 pm
by Christopher
Post the code you use to display it on the next page (actually the code on both pages would help). And why the double single quotes now?
Re: TRouble with quotes and double quotes
Posted: Sun Jan 26, 2014 11:46 pm
by barb woolums
Here is the code to create the hidden input on the first page
Code: Select all
$name="it's 1\""
$name=str_replace("'","''",$name);
$nameinput="<input type=hidden name='name' value='".htmlspecialchars($name)."'>";
echo $nameinput;
here's the code to display on the second page
Code: Select all
print(" value=".'"'.urldecode($_POST['name']).'"');
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 6:27 am
by Celauran
Code: Select all
$name=str_replace("'","''",$name);
Why are you replacing single quotes with doubled single quotes?
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 7:19 pm
by barb woolums
Yeah I don't need to do that any more. Took it out, but still get the same result.
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 7:30 pm
by phper2014
I would solve this by substituting a string value for the quotes and then replacing the quotes back in when they need to be displayed. There is no way I know of to process an escape and store it as [ \" ] the escape \ will be lost. Depending on how you intend on using the value of " or ' you may want to return the value to dec, hex, oct or html respectively instead of the string value " or '. And I always make it a practice to insert all data into a database table as hex ( %22 ) an easy way is to use urlencode() and urldecode() to return values. This will ensure that no illegal values are passed into the database. If you need to give a variable a value of HTML code a easy way to do this without using escaping is by writing the value in hex and decoding it into the variable:
Code: Select all
$foo = urldecode("%3Cinput+type%3D%22hidden%22+name%3D%22name%22+value%3D%22".$bar."%22%3E");
$foo now contains <input type="hidden" name="name" value="$bar">
substitution will also work:
if $foo contains <input type="hidden" name="name" value='$bar'>
$foo = str_replace('"', '#d_quote', $foo, $true);
$foo contains <input type=#d_quotehidden#d_quote name=#d_quotename#d_quote value=#d_quote$bar#d_quote>
$foo = str_replace("'", '#s_quote', $foo, $true);
$foo contains <input type=#d_quotehidden#d_quote name=#d_quotename#d_quote value=#s_quote$bar#s_quote>
revert values back to string " and ' values:
$foo = str_replace('#d_quote', '"', $foo, $true);
$foo = str_replace('#s_quote', "'", $foo, $true);
$foo now contains <input type="hidden" name="name" value='$bar'>
I hope this gives you some ideas and helps.
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 8:11 pm
by barb woolums
Ok I am using the substitution method - now the value posted to the second page is "its_quotes 1d_quote"
Now I can't figure out how to display it in an input on this page
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 9:35 pm
by phper2014
Please post your PHP code and explain the required result you want it to produce and I will help you figure it out.
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 9:39 pm
by Christopher
Try this. See what is displayed and view source to see the actual value.
test.php
Code: Select all
<form action="test.php" method="post">
<?php
if (isset($_POST['name'])) {
echo "name=".$_POST['name'].".<br>";
} else {
$name="it's 1\"";
$nameinput='<input type="hidden" name="name" value="'.htmlspecialchars($name).'">';
echo $nameinput;
}
?>
<input type="submit" name="go" value="Submit">
</form>
Re: TRouble with quotes and double quotes
Posted: Mon Jan 27, 2014 9:48 pm
by barb woolums
Yay working now - thanks everyone!!!