I'm still working through my book on PHP here. And various times textareas have been used, but if the user is to add an apostrophe in the form, upon submit the form bombs. If all apostrophes are taken out, then it is fine. How do I fix this?
Thanks!
Luke
Text areas in forms bomb if apostrophe is added by user
Moderator: General Moderators
-
the9ulaire
- Forum Commoner
- Posts: 74
- Joined: Mon Jun 11, 2007 11:31 am
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Escape them. The book was likely written under the assumption magic_quotes features were on.
mysql_real_escape_string() for example.
mysql_real_escape_string() for example.
get_magic_quotes_gpc() might also be useful
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
-
the9ulaire
- Forum Commoner
- Posts: 74
- Joined: Mon Jun 11, 2007 11:31 am
Sorry for such a delayed response, I've been quite busy and in and out of the state.
My phpMyAdmin doesn't want to accept apostrophes either. Here's my situation:
I'm starting off simple and setting up a few pages that are database driven. All they do is display the content found in the longtext field of my table.
However, I am also switching hosts this week so that could make a difference if magic quotes are turned on, perhaps...?
My phpMyAdmin doesn't want to accept apostrophes either. Here's my situation:
I'm starting off simple and setting up a few pages that are database driven. All they do is display the content found in the longtext field of my table.
However, I am also switching hosts this week so that could make a difference if magic quotes are turned on, perhaps...?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
If magic quotes is off then you need to escape data programmtically using something like add_slashes() or mysql_real_escape_string().
A simple test for what PHP is seeing is to set up a form with a text area that posts back to itself. Then add some data to the form with all sorts of special characters, then post it. On post, echo the content of the form to see what PHP just saw.
I would recommend you do this on your local server so no one can do anything stupid to a live, world accessible server.
A simple test for what PHP is seeing is to set up a form with a text area that posts back to itself. Then add some data to the form with all sorts of special characters, then post it. On post, echo the content of the form to see what PHP just saw.
I would recommend you do this on your local server so no one can do anything stupid to a live, world accessible server.
-
the9ulaire
- Forum Commoner
- Posts: 74
- Joined: Mon Jun 11, 2007 11:31 am
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I know it seems like a lot to do right now, but I would really consider checking for magic_quotes in any code you write. You never know what the server setup will be when you deploy your code, and honestly, it is easier to program for it than it is to look for a host that has the setting the way you want.
- gregorious
- Forum Commoner
- Posts: 34
- Joined: Wed Aug 23, 2006 9:55 am
- Location: Orlando, FL
might be off base with this
I am new too, so I might be off base with this.
I just ran a test on one of my forms with these characters ` ~ ! @ # $ % ^ & * ( ) = + [ ] { } ' " ; : . ? * and I did not get any problems. My form writes to a MYSQL table, and my EDIT page GETS the text from the table using htmlspecialchars - it converts special characters for safe use as HTML attributes. And magic_quotes_gpc is ON in my case.
I just ran a test on one of my forms with these characters ` ~ ! @ # $ % ^ & * ( ) = + [ ] { } ' " ; : . ? * and I did not get any problems. My form writes to a MYSQL table, and my EDIT page GETS the text from the table using htmlspecialchars - it converts special characters for safe use as HTML attributes. And magic_quotes_gpc is ON in my case.
Code: Select all
$id = $_GET['id'];
$textarray = @mysql_query("SELECT * FROM tablename WHERE record_id='$id'");
if (!$textarray) {
exit('<p>Error GETTING data from database: ' . mysql_error() . '</p>');
}
$textarray = mysql_fetch_array($textarray);
$head = $textarray['head'];
$description = $textarray['description'];
$head = htmlspecialchars($head);
$description = htmlspecialchars($description);
?>