RE: [PHP-DB] Fixed Quote Marks in Inputs
No! don't get them started again! my inbox won#039;t take it any more. -Original Message- From: Boaz Yahav [mailto:[EMAIL PROTECTED]] Sent: 05 January 2002 08:07 To: Bogdan Stancescu; Jonathan Hilgeman Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Fixed Quote Marks in Inputs I just read your thread and I have to say that I was intrigued both by the subject (which is interesting) and by the different views you show. I just have one question for Jonathan : If you store the ' and as #039; and #034; what do you do if you need to show the data later on in a non HTML format (text file for example). Wouldn't you still need to convert back to ' and before you show the text? Sincerely berber Visit http://www.weberdev.com Today!!! To see where PHP might take you tomorrow. -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 05, 2002 1:44 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Ok, seems like I misjudged you and I apologize for that. I haven't changed my opinion about the very issue we've been discussing - only wanted to post the sentence above, just for the record. Bogdan Jonathan Hilgeman wrote: Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.312 / Virus Database: 173 - Release Date: 31/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.312 / Virus Database: 173 - Release Date: 31/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
Although my case was targeted specifically at forms and inputs, your question depends on how your application would write to the text file. When an HTML entity is retrieved from the database and put into the VALUE of an INPUT box or put inbetween TEXTAREA tags, the HTML entity is left encoded in the source code, but it is translated into the quote mark character when the page is viewed. So if you were to fetch a database record, put its values on a form, and hit a submit button to save it to a text file immediately, the text file would contain the quote marks, not the HTML entities. That's why I find this all very useful. I am able to convert the entity just before I insert data into the database. Once I retrieve it, in most cases the entity will be translated anyway by the browser. Not sure if that's confusing, but that's the best way I can think of to explain it right now... - Jonathan -Original Message- From: Boaz Yahav [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 05, 2002 12:07 AM To: Bogdan Stancescu; Jonathan Hilgeman Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Fixed Quote Marks in Inputs I just read your thread and I have to say that I was intrigued both by the subject (which is interesting) and by the different views you show. I just have one question for Jonathan : If you store the ' and as #039; and #034; what do you do if you need to show the data later on in a non HTML format (text file for example). Wouldn't you still need to convert back to ' and before you show the text? Sincerely berber Visit http://www.weberdev.com Today!!! To see where PHP might take you tomorrow. -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 05, 2002 1:44 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Ok, seems like I misjudged you and I apologize for that. I haven't changed my opinion about the very issue we've been discussing - only wanted to post the sentence above, just for the record. Bogdan Jonathan Hilgeman wrote: Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
I just read your thread and I have to say that I was intrigued both by the subject (which is interesting) and by the different views you show. I just have one question for Jonathan : If you store the ' and as #039; and #034; what do you do if you need to show the data later on in a non HTML format (text file for example). Wouldn't you still need to convert back to ' and before you show the text? Sincerely berber Visit http://www.weberdev.com Today!!! To see where PHP might take you tomorrow. -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 05, 2002 1:44 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Ok, seems like I misjudged you and I apologize for that. I haven't changed my opinion about the very issue we've been discussing - only wanted to post the sentence above, just for the record. Bogdan Jonathan Hilgeman wrote: Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Fixed Quote Marks in Inputs
Those are two different things. You never mentioned your HTML problem, that's
why nobody adressed it.
So, the proper way to do it is:
1. Insert into the database using addslashes();
2. Use stripslashes() after retrieving the data if you need to;
3. Use htmlspecialchars() for displaying the data in HTML or htmlentities() if
you still have problems.
Bogdan
Jonathan Hilgeman wrote:
I've tried those methods, but they cause problems when the values are loaded
back into INPUTs for editing. For instance, even if the database-stored
value is Mark\'s Pet Named \Flea Muffin\, try loading that value into an
INPUT so it looks like:
INPUT NAME='FullPetName' VALUE='Mark\'s Pet Named \Flea Muffin\'
Or try double-quotes:
INPUT NAME=FullPetName VALUE=Mark\'s Pet Named \Flea Muffin\
You'll see what I mean.
By using the HTML equivalents, the value can be loaded back into an input
box flawlessly for easy updating, and it will display correctly when being
pulled from the database for other usage.
- Jonathan
-Original Message-
From: Rick Emery [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 04, 2002 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] Fixed Quote Marks in Inputs
Another option is to use PHP's addslashes() and stripslashes() functions.
These will add/remove slashes in front of quotes to make them database
friendly.
-Original Message-
From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 04, 2002 2:05 PM
To: [EMAIL PROTECTED]
Subject: [PHP-DB] Fixed Quote Marks in Inputs
I finally came up with a reliable solution that I can use when I'm dealing
with form inputs that can contain quote marks (single or double quotes). To
store quote marks, you can str_replace them with their HTML code
equivalents. For single quote marks, this is #039;, and for double quote
marks it's #034;
So before I insert any input into my database, I run my below function on
all the data:
// Replace quotes with their #039; and #034; equivalents
function PrepareQuotes($Var)
{
$Var = str_replace(',#039;,$Var);
$Var = str_replace('',#034;,$Var);
return $Var;
}
Hope this helps someone else.
- Jonathan
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
How is it the \proper\ way to do it and why does it have to remain the \proper\ way of doing it? Simply because it retains the same character in the database? What good is that if the data will simply be extracted and unslashed at a later point anyway? How the data is kept internally should not be an issue if it is only stored to be later extracted and parsed anyway. That's a partial reason we use timestamps instead of storing the full date everywhere. It's called proper representation. And I think in cases where HTML forms are used in conjunction with databases, the HTML equivalents are a heck of a lot more proper than slashes, not to mention more efficient. The only downside I see is that instead of taking up 2 characters, it takes up 6, but since many fields we all use won't ever contain quotes, I see it as a more than reasonable trade-off. I personally consider it a bad habit to use slashes unless you're dealing with regexes. And not everybody does it that way. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 1:41 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs That would be because this way you'll end up with the proper data in the database instead of HTML-encoded strings. Plus it's the proper way to do it -- everybody does it this way and it's a good habit. Bogdan Jonathan Hilgeman wrote: I thought I made it somewhat clear: when I'm dealing with form inputs that can contain quote marks Why run 3 functions at separate times when you can run one once just before data is inserted into the database? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Fixed Quote Marks in Inputs
It seems obvious to me that you can do whatever you please - I was just suggesting what seems to me as the proper way to do it. Why I say it's the proper way to do the job is because you never know about future development and storing the data in ASCII seems to me as the most convenient approach to avoid possible problems later on. But then again, this is my own opinion - you are free to implement whatever solution you find most suitable. Bogdan Jonathan Hilgeman wrote: How is it the \proper\ way to do it and why does it have to remain the \proper\ way of doing it? Simply because it retains the same character in the database? What good is that if the data will simply be extracted and unslashed at a later point anyway? How the data is kept internally should not be an issue if it is only stored to be later extracted and parsed anyway. That's a partial reason we use timestamps instead of storing the full date everywhere. It's called proper representation. And I think in cases where HTML forms are used in conjunction with databases, the HTML equivalents are a heck of a lot more proper than slashes, not to mention more efficient. The only downside I see is that instead of taking up 2 characters, it takes up 6, but since many fields we all use won't ever contain quotes, I see it as a more than reasonable trade-off. I personally consider it a bad habit to use slashes unless you're dealing with regexes. And not everybody does it that way. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 1:41 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs That would be because this way you'll end up with the proper data in the database instead of HTML-encoded strings. Plus it's the proper way to do it -- everybody does it this way and it's a good habit. Bogdan Jonathan Hilgeman wrote: I thought I made it somewhat clear: when I'm dealing with form inputs that can contain quote marks Why run 3 functions at separate times when you can run one once just before data is inserted into the database? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
I realize that part - my whole point was that it didn't really matter how it was stored as long as it gets extracted/parsed correctly. With that in mind, instead of using 3 functions to store, extract, and parse the data, I can use one function to prepare the data to be stored in a format that can be extracted directly into an form-friendly format. Not to mention that HTML entities are still ASCII characters, and I do not foresee any problems with using the HTML entities in place of quote marks. To me, it makes the most sense. Quote marks are generally special characters used everywhere, and storing them as quote marks instead of the entities seems to be asking for trouble, in my opinion. I've stored values using slashes for the past few years, and that method has given so many problems... Speaking as an experienced web programmer, I believe this is a much more practical method for a lot of us. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 2:39 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Oh, one more thing - maybe you don't understand what the slashing is for: you don't store \ in the database -- the slash is there just so the MySQL statement is correct. MySQL knows about slashing and will replace your \ with so what you store in the database is exactly what the user typed in the input box. Bogdan Jonathan Hilgeman wrote: How is it the \proper\ way to do it and why does it have to remain the \proper\ way of doing it? Simply because it retains the same character in the database? What good is that if the data will simply be extracted and unslashed at a later point anyway? How the data is kept internally should not be an issue if it is only stored to be later extracted and parsed anyway. That's a partial reason we use timestamps instead of storing the full date everywhere. It's called proper representation. And I think in cases where HTML forms are used in conjunction with databases, the HTML equivalents are a heck of a lot more proper than slashes, not to mention more efficient. The only downside I see is that instead of taking up 2 characters, it takes up 6, but since many fields we all use won't ever contain quotes, I see it as a more than reasonable trade-off. I personally consider it a bad habit to use slashes unless you're dealing with regexes. And not everybody does it that way. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 1:41 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs That would be because this way you'll end up with the proper data in the database instead of HTML-encoded strings. Plus it's the proper way to do it -- everybody does it this way and it's a good habit. Bogdan Jonathan Hilgeman wrote: I thought I made it somewhat clear: when I'm dealing with form inputs that can contain quote marks Why run 3 functions at separate times when you can run one once just before data is inserted into the database? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 3:11 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Ok, as I said before, you can store whatever you please in your database. However, please don't speak as an experienced web programmer when not longer than three hours ago you finally found a solution to store quoted text in a database. Bogdan Jonathan Hilgeman wrote: I realize that part - my whole point was that it didn't really matter how it was stored as long as it gets extracted/parsed correctly. With that in mind, instead of using 3 functions to store, extract, and parse the data, I can use one function to prepare the data to be stored in a format that can be extracted directly into an form-friendly format. Not to mention that HTML entities are still ASCII characters, and I do not foresee any problems with using the HTML entities in place of quote marks. To me, it makes the most sense. Quote marks are generally special characters used everywhere, and storing them as quote marks instead of the entities seems to be asking for trouble, in my opinion. I've stored values using slashes for the past few years, and that method has given so many problems... Speaking as an experienced web programmer, I believe this is a much more practical method for a lot of us. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Fixed Quote Marks in Inputs
Ok, seems like I misjudged you and I apologize for that. I haven't changed my opinion about the very issue we've been discussing - only wanted to post the sentence above, just for the record. Bogdan Jonathan Hilgeman wrote: Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] Fixed Quote Marks in Inputs
And I apologize if I came off as ultra-defensive/rude. I had a bad day, a bright idea, and then felt like someone was tearing it to pieces. This is like the PHP soap opera. - Jonathan -Original Message- From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 3:44 PM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: [PHP-DB] Fixed Quote Marks in Inputs Ok, seems like I misjudged you and I apologize for that. I haven't changed my opinion about the very issue we've been discussing - only wanted to post the sentence above, just for the record. Bogdan Jonathan Hilgeman wrote: Apparently, the experienced way is to store them with slashes, which is what I've followed for years. I consider years of programming to be a fair amount of experience, thus qualifying me to be experienced. ANYHOW, after finally thinking a bit outside the box and with some valuable input from some co-workers, we came up with this function which is a much more efficient solution in this matter than the experienced way you proposed. My purpose in even posting this function was so that other people could avoid having to go through the same problems I faced when using the proper and apparently experienced method that I only used because I listened to programmers like you (mind you, I said LIKE you, not YOU) who believe in standard procedure in all cases without considering more efficient options. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Fixed Quote Marks in Inputs
Ok, finally found a valid argument! :-) What if the user enters I'm aware that 23!? Bogdan Jonathan Hilgeman wrote: And I apologize if I came off as ultra-defensive/rude. I had a bad day, a bright idea, and then felt like someone was tearing it to pieces. This is like the PHP soap opera. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] Fixed Quote Marks in Inputs
Bogdan Stancescu wrote: Ok, finally found a valid argument! :-) What if the user enters I'm aware that 23!? Bogdan Tested it - it works. However, you'll have big problems if you'll ever need to echo the data. Consider this example: Enter description: input box The user enters Edited by Bogdan's wife [EMAIL PROTECTED]. You now want to store this. You'll first use your algorithm to convert the ' into #039;. You store the result in the database. Now you want to display this data. You retrieve Edited by Bogdan#039;s wife [EMAIL PROTECTED] from the database. What next? You can't simply echo this because that would apparently omit [EMAIL PROTECTED]. You can't htmlspecialchars() either because that would result in Edited by Bogdanamp;#039;s wife lt;[EMAIL PROTECTED]gt; which is not right. So there, that's why you should store the text as everybody else does. :-) Bogdan -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
