Strings and apostrophes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Strings and apostrophes

Post by spacebiscuit »

Hi,

I am reading a string into a variable via a html form. I have noticed that if my string includes an apostrophe a slash is added in front of it....

ie if the user inputs:

This is Rob's test page

The output is:

This is Rob\'s test page

The problem is that I am writing the data into a Topspeed Clarion database and the slashes causes an error when I try and write.

Is there a way around this problem or does anyone know how to deal with strings that in clude apostrophes.

Many thanks in advance.

Rob Burne.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Check out stripslashes() and get_magic_quotes_gpc()
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Post by spacebiscuit »

HI,

stripslashes() does exactly what it says on the tin, however the problem is tat when I then try and insert the data into my database the apostrophes is read at the end of the data and not as an apostrophes within the opening and closing apostrophes.

For example:

Code: Select all

$query =  "INSERT INTO TABLE (x, y, z) 
           VALUES ('$x', '$y', '$z')";
If any of the variables is a string containing an apostrophes is causes a problem thinking that is the end of string.

Any ideas guys?

Many thanks,

Rob Burne.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

typically you'll addslashes() the data before sticking it into the database and stripslashes() when you bring it out before display. "magic_quotes" will do some of that for you automatically.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

For most dbms there is a dbms_(real)_escape_string function...

I would suggest you use prepared statements.. As they handle all the escaping for you.. If you dbms doesn't support that, consider http://adodb.sf.net as it can emulate them..
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Post by spacebiscuit »

Prepared statements, any suggestions?

Thanks,

Rob.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

for example with adodb

Code: Select all

$db->Execute('INSERT INTO table (a, b, c) VALUES (?, ? , ?)', array($a, $b, $c));
Post Reply