Page 1 of 1

Escaping ' tags from search outputs

Posted: Fri Dec 16, 2005 9:24 am
by stylus
Hello,

When I run this page it automatically returns all the records from my database, and the "Johnny's Selected Seeds" record becomes "selected". The option tag is broken because of the ' in the name of the company and then the "selected" becomes part of the HTML tag. This is what it looks like when I view source:

"<option value=Johnny's Selected Seeds>Johnny's Selected Seeds</option>"

What do I need to use to escape around the data output so that the html tags dont see the ' ??


Here is my code thus far:

Code: Select all

<form name="search" action="sqltest.php" method="post">
<input type="text" name="search">
<input type="submit" name="submit" value="go">
</form>


<?
$server="REMOVED BY HAWLEYJR;
$username="REMOVED BY HAWLEYJR";
$password="REMOVED BY HAWLEYJR";
$sqlconnect=mssql_connect($server, $username, $password);
$sqldb=mssql_select_db("COApgar",$sqlconnect);
$sqlquery="SELECT CustomerName FROM ARCustomers WHERE CustomerName LIKE '$_POST[search]%' ORDER BY CustomerName;";
$results= mssql_query($sqlquery);

echo "<select name='subcat'><option> </option>";
while($row = mssql_fetch_array($results)) {
echo "<option value=$row[CustomerName]>$row[CustomerName]</option>";
}
echo "</select>";
echo "<input type=submit value=Submit>";
echo "</form>";
mssql_close($sqlconnect);
?>

Posted: Fri Dec 16, 2005 9:28 am
by hawleyjr
you need to put quotes around the value:

Code: Select all

<option value="Johnny's Selected Seeds">Johnny's Selected Seeds</option>

If the Value as a double quote in it you need to replace the double qoute with: "

Posted: Fri Dec 16, 2005 9:37 am
by stylus
Hello,

If I set it up like this:
echo '<option value="$row[CustomerName]">$row[CustomerName]</option>';

I get an error message:

Parse error: parse error, unexpected T_VARIABLE, expecting ',' or ';' in D:\Data\Inetpub\wwwroot\sqltest.php on line 18


If I set it up like this:
echo '<option value="$row[CustomerName]">$row[CustomerName]</option>';

The displayed text in the drop down list is $row[CustomerName]

Posted: Fri Dec 16, 2005 9:52 am
by twigletmac
PHP doesn't parse values in single quotes, so you would need to change:

Code: Select all

echo '<option value="$row[CustomerName]">$row[CustomerName]</option>';
to something like

Code: Select all

echo '<option value="'.$row[CustomerName].'">'.$row[CustomerName].'</option>';
Mac

Posted: Fri Dec 16, 2005 10:39 am
by stylus
ah ha, it is the periods before and after that I needed make it work.

Thanks