Page 1 of 1

Text areas in forms bomb if apostrophe is added by user

Posted: Thu Jun 28, 2007 8:57 am
by the9ulaire
I'm still working through my book on PHP here. And various times textareas have been used, but if the user is to add an apostrophe in the form, upon submit the form bombs. If all apostrophes are taken out, then it is fine. How do I fix this?

Thanks!
Luke

Posted: Thu Jun 28, 2007 9:00 am
by feyd
Escape them. The book was likely written under the assumption magic_quotes features were on.

mysql_real_escape_string() for example.

Posted: Thu Jun 28, 2007 10:44 am
by pickle
get_magic_quotes_gpc() might also be useful

Posted: Mon Jul 16, 2007 9:34 am
by the9ulaire
Sorry for such a delayed response, I've been quite busy and in and out of the state.

My phpMyAdmin doesn't want to accept apostrophes either. Here's my situation:

I'm starting off simple and setting up a few pages that are database driven. All they do is display the content found in the longtext field of my table.

However, I am also switching hosts this week so that could make a difference if magic quotes are turned on, perhaps...?

Posted: Mon Jul 16, 2007 1:24 pm
by RobertGonzalez
If magic quotes is off then you need to escape data programmtically using something like add_slashes() or mysql_real_escape_string().

A simple test for what PHP is seeing is to set up a form with a text area that posts back to itself. Then add some data to the form with all sorts of special characters, then post it. On post, echo the content of the form to see what PHP just saw.

I would recommend you do this on your local server so no one can do anything stupid to a live, world accessible server.

Posted: Fri Jul 20, 2007 2:00 am
by the9ulaire
Since I'm so new to php, I've been hoping that my switch to a new host would have magic quotes turned on on the server. I ran the function to get magic quotes and it returned a 1.

I'm hoping this will solve my problems so I don't have to figure out anything more complicated right now.

Posted: Fri Jul 20, 2007 10:43 am
by RobertGonzalez
I know it seems like a lot to do right now, but I would really consider checking for magic_quotes in any code you write. You never know what the server setup will be when you deploy your code, and honestly, it is easier to program for it than it is to look for a host that has the setting the way you want.

might be off base with this

Posted: Fri Jul 20, 2007 12:01 pm
by gregorious
I am new too, so I might be off base with this.

I just ran a test on one of my forms with these characters ` ~ ! @ # $ % ^ & * ( ) = + [ ] { } ' " ; : . ? * and I did not get any problems. My form writes to a MYSQL table, and my EDIT page GETS the text from the table using htmlspecialchars - it converts special characters for safe use as HTML attributes. And magic_quotes_gpc is ON in my case.

Code: Select all

$id = $_GET['id'];
$textarray = @mysql_query("SELECT * FROM tablename WHERE record_id='$id'");
if (!$textarray) {
exit('<p>Error GETTING data from database: ' . mysql_error() . '</p>');
}

$textarray = mysql_fetch_array($textarray);
$head = $textarray['head'];
$description = $textarray['description']; 

$head = htmlspecialchars($head);
$description = htmlspecialchars($description);
?>