Text areas in forms bomb if apostrophe is added by user

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
the9ulaire
Forum Commoner
Posts: 74
Joined: Mon Jun 11, 2007 11:31 am

Text areas in forms bomb if apostrophe is added by user

Post by the9ulaire »

I'm still working through my book on PHP here. And various times textareas have been used, but if the user is to add an apostrophe in the form, upon submit the form bombs. If all apostrophes are taken out, then it is fine. How do I fix this?

Thanks!
Luke
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Escape them. The book was likely written under the assumption magic_quotes features were on.

mysql_real_escape_string() for example.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

get_magic_quotes_gpc() might also be useful
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
the9ulaire
Forum Commoner
Posts: 74
Joined: Mon Jun 11, 2007 11:31 am

Post by the9ulaire »

Sorry for such a delayed response, I've been quite busy and in and out of the state.

My phpMyAdmin doesn't want to accept apostrophes either. Here's my situation:

I'm starting off simple and setting up a few pages that are database driven. All they do is display the content found in the longtext field of my table.

However, I am also switching hosts this week so that could make a difference if magic quotes are turned on, perhaps...?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

If magic quotes is off then you need to escape data programmtically using something like add_slashes() or mysql_real_escape_string().

A simple test for what PHP is seeing is to set up a form with a text area that posts back to itself. Then add some data to the form with all sorts of special characters, then post it. On post, echo the content of the form to see what PHP just saw.

I would recommend you do this on your local server so no one can do anything stupid to a live, world accessible server.
the9ulaire
Forum Commoner
Posts: 74
Joined: Mon Jun 11, 2007 11:31 am

Post by the9ulaire »

Since I'm so new to php, I've been hoping that my switch to a new host would have magic quotes turned on on the server. I ran the function to get magic quotes and it returned a 1.

I'm hoping this will solve my problems so I don't have to figure out anything more complicated right now.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I know it seems like a lot to do right now, but I would really consider checking for magic_quotes in any code you write. You never know what the server setup will be when you deploy your code, and honestly, it is easier to program for it than it is to look for a host that has the setting the way you want.
User avatar
gregorious
Forum Commoner
Posts: 34
Joined: Wed Aug 23, 2006 9:55 am
Location: Orlando, FL

might be off base with this

Post by gregorious »

I am new too, so I might be off base with this.

I just ran a test on one of my forms with these characters ` ~ ! @ # $ % ^ & * ( ) = + [ ] { } ' " ; : . ? * and I did not get any problems. My form writes to a MYSQL table, and my EDIT page GETS the text from the table using htmlspecialchars - it converts special characters for safe use as HTML attributes. And magic_quotes_gpc is ON in my case.

Code: Select all

$id = $_GET['id'];
$textarray = @mysql_query("SELECT * FROM tablename WHERE record_id='$id'");
if (!$textarray) {
exit('<p>Error GETTING data from database: ' . mysql_error() . '</p>');
}

$textarray = mysql_fetch_array($textarray);
$head = $textarray['head'];
$description = $textarray['description']; 

$head = htmlspecialchars($head);
$description = htmlspecialchars($description);
?>
Post Reply