[PHP] Escaping quotes for DB Entry
All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... What about your firebird suggestion, does this work well with Oracle connections and queries? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: ... this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. consider this a reminder to myself to RTFM. ;-) ... Is there a better/more secure wahy? ... Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... indeed - probably work the time to write some kind of generic routine to do the binding based on field datatypes etc - then again that probably will cost you performance... you know the saying you can't have your cake and eat it What about your firebird suggestion, does this work well with Oracle connections and queries? no my firebird suggestion only works at all when connecting to firebird databases. :-) but when you do connect to a firebird db it works very well indeed ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes for DB Entry
From: Brad Bonkoski [mailto:[EMAIL PROTECTED]
Sent: Fri 26/05/2006 15:41
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have a
*real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
Well, since Oracle escapes single-quotes with another single quote, on the few
occasions when I actually have to escape I generally just run:
$safe_str = str_replace(', '', $str);
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
RE: [PHP] Escaping quotes for DB Entry
From: Jochem Maas [mailto:[EMAIL PROTECTED] Sent: Fri 26/05/2006 15:54 Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php Whoa, that is wy out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name(). if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible!). - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
[PHP] escaping quotes
Hi Guys Really simple question. How do I change the following: print(value=' . $attributes[messageSubject] . '); to have double quotes around the subject field instead. i.e.: print(value= . $attributes[messageSubject] . ); thanks Giles Roadnight http://giles.roadnight.name -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:[PHP] escaping quotes
Hi, Try this print(value=\ . $attributes[messageSubject] . \); Binoy __ __ __ __ Sent via the WebMail system at softwareassociates.co.uk --- Scanned by MessageExchange.net (12:54:20 SPITFIRE) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [ParrotHeadPoster] - Re: [PHP] escaping quotes
I had a parrot idea whilst writing this.. (see bottom)
Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
you have to escape the doublequotes in question - this is done with
a backslash:
print(value=\ . $attributes[messageSubject] . \);
or like this if you find it more readable (avoids the backslashes):
printf('value=%s', $attributes[messageSubject]);
actually you can do loads of funky things with printf() and its brother
sprintf() etc - check out the manual for all the formating codes (e.g. '%s')
that are available
lastly, learn what string interpolation is and why it is technically
neater to only use doublequotes to delimit your php strings when you
want/require string interpolation to happen.
---
ParrotTalk: I think that this topic of string interpolation/quotes
deserves 'parrot' attention which made me think that maybe the parrot
could parse for markers (that if added to an email by an autorized poster)
would mark the post/thread as suitable material for 'training' the 'parrot'
thanks
Giles Roadnight
http://giles.roadnight.name
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
On 27 January 2005 12:14, Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
print('value=' . $attributes[messageSubject] . '');
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
Simple:
Print (value=\{$attributes['messageSubject']}\);
HTH,
Mikey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes
Giles wrote:
Hi Guys
Really simple question. How do I change the following:
print(value=' . $attributes[messageSubject] . ');
to have double quotes around the subject field instead. i.e.:
print(value= . $attributes[messageSubject] . );
print(value=\ . $attributes[messageSubject] . \);
print(value=\{$attributes['messageSubject']}\);
Although, to prevent any vulnerabilities, you probably want:
print(value=\ . htmlentities($attributes[messageSubject]) . \);
if you're not already doing so at some point.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals www.phparch.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [ParrotHeadPoster] - Re: [PHP] escaping quotes
Jochem Maas wrote: I had a parrot idea whilst writing this.. (see bottom) ... --- ParrotTalk: I think that this topic of string interpolation/quotes deserves 'parrot' attention which made me think that maybe the parrot could parse for markers (that if added to an email by an autorized poster) would mark the post/thread as suitable material for 'training' the 'parrot' Actually that is a pretty good way to handle it... regardless of whether we use the Bayesian/SPAM or Heuristic approach. It wouldn't require anyone to go to any website, just reply to a message like normal and tag it. phParrot / And then, if the parrot didn't already respond to the original message... well, then it could be trained / told to respond directly to that message. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes
John Holmes wrote: print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
Thanks, that works great. Knew that worked for JavaScript but didn't know it worked for PHP. Giles Roadnight http://giles.roadnight.name -Original Message- From: Richard Lynch [mailto:[EMAIL PROTECTED] Sent: 27 January 2005 17:07 To: John Holmes Cc: Giles; php-general@lists.php.net Subject: Re: [PHP] escaping quotes John Holmes wrote: print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes
What also works is this: print 'value='. $foo['bar'] . ''; Read the manual section on strings: http://php.net/types.string Regards, Philip On Thu, 27 Jan 2005, Giles wrote: Thanks, that works great. Knew that worked for JavaScript but didn't know it worked for PHP. print(value=\ . $attributes[messageSubject] . \); Slight typo there: value=\ . ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes [solution]
[snip]
2) By not escaping quotes in the data
...
You can do it this way but you must make sure that any strings in your
values array have been escaped before with
[/snip]
There is no quotes in the data. The data coming in is a $_POST array.
$dbmssql-dbinsert($_POST, $table);
However this did make me pull my head out of my...
[snip]
using str_replace(', '',$str) should work.
[/snip]
Justin's first post on PEAR::DB pointed me in the right direction. The
initial method that parses out the $_POST is where I needed to add the
quotes around the values.
I sure will be glad when I don't make these kinds of simple mistakes
anymore.
Thanks guys...
alex hogan
*
The contents of this e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom it is addressed. The
views stated herein do not necessarily represent the view of the company. If you are
not the intended recipient of this e-mail you may not copy, forward, disclose, or
otherwise use it or any part of it in any form whatsoever. If you have received this
e-mail in error please e-mail the sender.
*
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping quotes
Hi All, I have this expression; $query = INSERT INTO $table (%s) VALUES (%s); $query = sprintf($query, implode(,, $fld), implode(,, $val)); $result = mssql_query($query) or die($errmsg); I am trying to insert values from an array into the database. I keep getting the error that I can't pass column names in this context. I know it's because I'm not enclosing $val in quotes. I've tried a number of variations; implode(\,\, $val) implode(\',\', $val) implode(,, \.$val.\) - This blows up nicely ;-) Where am I going wrong on this? alex hogan * The contents of this e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom it is addressed. The views stated herein do not necessarily represent the view of the company. If you are not the intended recipient of this e-mail you may not copy, forward, disclose, or otherwise use it or any part of it in any form whatsoever. If you have received this e-mail in error please e-mail the sender. * -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
On Wed, 11 Aug 2004 19:03:32 -0500, Alex Hogan
[EMAIL PROTECTED] wrote:
Hi All,
I have this expression;
$query = INSERT INTO $table (%s) VALUES (%s);
$query = sprintf($query, implode(,, $fld), implode(,,
$val));
$result = mssql_query($query) or die($errmsg);
I am trying to insert values from an array into the database.
I keep getting the error that I can't pass column names in this context.
I know it's because I'm not enclosing $val in quotes.
I've tried a number of variations;
implode(\,\, $val)
implode(\',\', $val)
implode(,, \.$val.\) - This blows up nicely ;-)
Where am I going wrong on this?
1) By using implode to do this
2) By not escaping quotes in the data
If you look in the PEAR::DB code, here's how they quote field names:
function quoteIdentifier($str)
{
return '[' . str_replace(']', ']]', $str) . ']';
}
and here's how they quote values:
function quoteSmart($in)
{
if (is_int($in) || is_double($in)) {
return $in;
} elseif (is_bool($in)) {
return $in ? 1 : 0;
} elseif (is_null($in)) {
return 'NULL';
} else {
return ' . str_replace(', '', $in) . ';
}
}
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
Hi,
Thursday, August 12, 2004, 10:03:32 AM, you wrote:
AH Hi All,
AH I have this expression;
AH $query = INSERT INTO $table (%s) VALUES (%s);
AH $query = sprintf($query, implode(,, $fld), implode(,,
AH $val));
AH $result = mssql_query($query) or die($errmsg);
AH I am trying to insert values from an array into the database.
AH I keep getting the error that I can't pass column names in this context.
AH I know it's because I'm not enclosing $val in quotes.
AH I've tried a number of variations;
AH implode(\,\, $val)
AH implode(\',\', $val)
AH implode(,, \.$val.\) - This blows up nicely ;-)
AH Where am I going wrong on this?
AH alex hogan
You can do it this way but you must make sure that any strings in your
values array have been escaped before with mysql_escape_string() and
probably trimmed as well.
$fields = array('id','name','age');
$values = array(1,'Dave',40);
$table = 'test';
$sql = sprintf(INSERT INTO %s (%s) VALUES
('%s'),$table,implode(',',$fields),implode(',',$values));
echo $sql;
(It's perfectly ok to quote numbers)
--
regards,
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes
On Thu, 12 Aug 2004 12:34:30 +1000, Tom Rogers [EMAIL PROTECTED] wrote:
Hi,
Thursday, August 12, 2004, 10:03:32 AM, you wrote:
AH Hi All,
AH I have this expression;
AH $query = INSERT INTO $table (%s) VALUES (%s);
AH $query = sprintf($query, implode(,, $fld), implode(,,
AH $val));
AH $result = mssql_query($query) or die($errmsg);
AH I am trying to insert values from an array into the database.
AH I keep getting the error that I can't pass column names in this context.
AH I know it's because I'm not enclosing $val in quotes.
AH I've tried a number of variations;
AH implode(\,\, $val)
AH implode(\',\', $val)
AH implode(,, \.$val.\) - This blows up nicely ;-)
AH Where am I going wrong on this?
AH alex hogan
You can do it this way but you must make sure that any strings in your
values array have been escaped before with mysql_escape_string() and
probably trimmed as well.
The question was about mssql, not mysql. using str_replace(', '',
$str) should work.
$fields = array('id','name','age');
$values = array(1,'Dave',40);
$table = 'test';
$sql = sprintf(INSERT INTO %s (%s) VALUES
('%s'),$table,implode(',',$fields),implode(',',$values));
echo $sql;
(It's perfectly ok to quote numbers)
--
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder
paperCrane --Justin Patrin--
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] escaping quotes for redisplay
-Original Message- From: Erik Price [mailto:[EMAIL PROTECTED]] Sent: 18 February 2003 18:11 PS: I am using htmlentities() on the output before displaying it in the browser, but it doesn't apply to singlequotes. Ahem! I quote from http://www.php.net/manual/en/function.htmlentities.php: ... the optional second quote_style parameter lets you define what will be done with 'single' and double quotes. It takes on one of three constants with the default being ENT_COMPAT: Constant Name Description ENT_COMPAT Will convert double-quotes and leave single- quotes alone. ENT_QUOTES Will convert both double and single quotes. ENT_NOQUOTES Will leave both double and single quotes unconverted. So just use htmlentities($output, ENT_QUOTES). Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes for redisplay
Hi, I am running into a problem, that I'm certain I've had before but for some reason don't remember how to handle. If anyone can advise me on what to do here, that would be great. I have a PHP script that accepts some user input and validates it, and if the validation fails, it re-displays the form. In the form, the text fields' value attributes are set to the user's input so that the user doesn't have to fill everything out again. The whole system works great, and I'm sure you've all seen it a hundred times before. The problem happens when a user enters a single quote, such as in the string O'Reilly. Re-displaying this value in the value attribute of the form, like this: input type='text' name='publisher' value='O'Reilly' / is clearly invalid HTML, and it shows when the page is rendered in the user's browser (only the O gets through). If I turn on magic_quotes_gpc or use addslashes, the output is like so: input type='text' name='publisher' value='O\'Reilly' / And of course, when rendered, simply allows the O\ to get through. I can solve this problem by using double-quotes instead of single-quotes for my attributes, and that is probably what I'm going to have to do. However, this means I can't let users enter double quotes, or the same thing will happen. In other fields, double-quotes might be necessary. Is there any other solution? Thanks, Erik PS: I am using htmlentities() on the output before displaying it in the browser, but it doesn't apply to singlequotes. I suppose I could str_replace it, but I'm wondering how other people handle this situation -- Erik Price email: [EMAIL PROTECTED] jabber: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes for redisplay
On Tue, 18 Feb 2003 13:10:33 -0500, you wrote: input type='text' name='publisher' value='O'Reilly' / input type=text name=blah value=aaquot;aa -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes in mail() message
I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! I've got magic_quotes on, but I think I'm keeping up with stripslashes because single quotes are showing up correctly. Can anyone please advise? -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in mail() message
I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! I've got magic_quotes on, but I think I'm keeping up with stripslashes because single quotes are showing up correctly. Can anyone please advise? You can't escape double quotes in HTML... it doesn't understand. So, you're ending up with a hidden element like this: input type=hidden name=whatever value=This message uses 'single' and \double\ qutoes. HTML will cut it off at the first because it doesn't recognize the escape character. The way around this is to use htmlentities() or htmlspecialchars() on your string before you insert it into the value attribute of your form element. It will come out decoded on the the other side, so you don't have to worry about that. Hope that helps. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in mail() message
From: 1LT John W. Holmes [EMAIL PROTECTED] I'm having a problem escaping double quotes in email messages sent with mail(). The message is built as a string and assigned to a variable and the variable name is passed to the mail function. The double quotes appear correctly in a simple test like this: $message = This message uses 'single' and \double\ quotes.; mail($sendto, $subject, $message, $headers); But if $message is built in another part of the script and passed as a hidden input of a form, the email arrives with the message truncated at the first double quote encountered. If I do a str_replace() on $message to escape double quotes, the email shows the escaping backslash but is still truncated at the double quote! [snip] The way around this is to use htmlentities() or htmlspecialchars() on your string before you insert it into the value attribute of your form element. It will come out decoded on the the other side, so you don't have to worry about that. John, thanks for the fine reply -- problem solved! -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] escaping quotes in forms and redisplaying variables in form fields
I'm stumbling over how to allow people to put single or double quotes in a form text field. I am passing the form to itself ($PHP_SELF) and on the second time through previewing what the form data will look like and also re-creating the form with the data already filled in. Here's an example of one text field: $display_line .=input type='text' name='signature' value='$noslash_signature' size='35' maxlength='100'; (I have stripslashes() the $signature variable to create $noslash_signature.) If someone signs their name O'Brien, the preview shows O'Brien, but all that shows in the form field is O. However, Joe Bruiser Jones displays correctly in preview and the form. If I change the code like this (adding the \ around the variable): $display_line .=input type='text' name='signature' value=\$noslash_signature\ size='35' maxlength='100'; O'Brien will display OK, but Joe Bruiser Jones shows just Joe in the form field. One solution is to change the text form to textarea, but I'd prefer to be able to redisplay at text form field if possible. TIA, John Hughes __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in forms and redisplaying variables in form fields
See: http://www.php.net/manual/en/function.htmlspecialchars.php John Hughes wrote: I'm stumbling over how to allow people to put single or double quotes in a form text field. I am passing the form to itself ($PHP_SELF) and on the second time through previewing what the form data will look like and also re-creating the form with the data already filled in. Here's an example of one text field: $display_line .=input type='text' name='signature' value='$noslash_signature' size='35' maxlength='100'; (I have stripslashes() the $signature variable to create $noslash_signature.) If someone signs their name O'Brien, the preview shows O'Brien, but all that shows in the form field is O. However, Joe Bruiser Jones displays correctly in preview and the form. If I change the code like this (adding the \ around the variable): $display_line .=input type='text' name='signature' value=\$noslash_signature\ size='35' maxlength='100'; O'Brien will display OK, but Joe Bruiser Jones shows just Joe in the form field. One solution is to change the text form to textarea, but I'd prefer to be able to redisplay at text form field if possible. -- .-. | Robert Cummings | :-`. | Webdeployer - Chief PHP and Java Programmer | :--: | Mail : mailto:[EMAIL PROTECTED] | | Phone : (613) 731-4046 x.109 | :--: | Website : http://www.webmotion.com | | Fax : (613) 260-9545 | `--' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escaping quotes in forms and redisplaying variables in form fields
Yeah, you have to convert the single and double quotes to html entities so they are not mistaken for the end of the string. If you look at your source code, you'll see why it's happening. value = 'O'Bryan' value = Joe Bruiser Smith You can see how the 'O' is taken as the string, and the rest is ignored. Same for the double quotes. ---John Holmes... - Original Message - From: Robert Cummings [EMAIL PROTECTED] To: John Hughes [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, May 06, 2002 5:06 PM Subject: Re: [PHP] escaping quotes in forms and redisplaying variables in form fields See: http://www.php.net/manual/en/function.htmlspecialchars.php John Hughes wrote: I'm stumbling over how to allow people to put single or double quotes in a form text field. I am passing the form to itself ($PHP_SELF) and on the second time through previewing what the form data will look like and also re-creating the form with the data already filled in. Here's an example of one text field: $display_line .=input type='text' name='signature' value='$noslash_signature' size='35' maxlength='100'; (I have stripslashes() the $signature variable to create $noslash_signature.) If someone signs their name O'Brien, the preview shows O'Brien, but all that shows in the form field is O. However, Joe Bruiser Jones displays correctly in preview and the form. If I change the code like this (adding the \ around the variable): $display_line .=input type='text' name='signature' value=\$noslash_signature\ size='35' maxlength='100'; O'Brien will display OK, but Joe Bruiser Jones shows just Joe in the form field. One solution is to change the text form to textarea, but I'd prefer to be able to redisplay at text form field if possible. -- .-. | Robert Cummings | :-`. | Webdeployer - Chief PHP and Java Programmer | :--: | Mail : mailto:[EMAIL PROTECTED] | | Phone : (613) 731-4046 x.109 | :--: | Website : http://www.webmotion.com | | Fax : (613) 260-9545 | `--' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Escaping Quotes in a String and Ending With A Quote
Well, this is a fairly simple problem. I'm having problems with escaping a string, and then ending the string right after the escape! For example, echo Then Johnathan said, \That's exactly what I said!\; I get a parse error on the line where the string is. Very simple problem, I just can't seem to solve it though. Maybe I'm going crazy =) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
On Tue, 19 Mar 2002, Dr. Shim wrote: Well, this is a fairly simple problem. I'm having problems with escaping a string, and then ending the string right after the escape! For example, echo Then Johnathan said, \That's exactly what I said!\; I get a parse error on the line where the string is. Very simple problem, I just can't seem to solve it though. Maybe I'm going crazy =) There's nothing wrong with that PHP code. Are you sure you really copied and pasted it directly from the problem code - or that the parse error isn't somewhere else? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 19 Mar 2002, Dr. Shim wrote: Well, this is a fairly simple problem. I'm having problems with escaping a string, and then ending the string right after the escape! For example, echo Then Johnathan said, \That's exactly what I said!\; I get a parse error on the line where the string is. Very simple problem, I just can't seem to solve it though. Maybe I'm going crazy =) There's nothing wrong with that PHP code. Are you sure you really copied and pasted it directly from the problem code - or that the parse error isn't somewhere else? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
You need to remove the second echo. On Tue, 19 Mar 2002, Dr. Shim wrote: Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 19 Mar 2002, Dr. Shim wrote: Well, this is a fairly simple problem. I'm having problems with escaping a string, and then ending the string right after the escape! For example, echo Then Johnathan said, \That's exactly what I said!\; I get a parse error on the line where the string is. Very simple problem, I just can't seem to solve it though. Maybe I'm going crazy =) There's nothing wrong with that PHP code. Are you sure you really copied and pasted it directly from the problem code - or that the parse error isn't somewhere else? miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
On Tue, 19 Mar 2002, Dr. Shim wrote: Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; You're concatenating echo $PHP_SELF rather than just $PHP_SELF, which isn't necessarily helping. But just between me and you, life would be a lot easier if you simply did: echo 'form name=frmMovies method=post action=' . $PHP_SELF . ''; miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
Strangley enough, $PHP_SELF is empty. Nothing appears when I do it the way Bob and you suggested, the action property equals . Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 19 Mar 2002, Dr. Shim wrote: Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; You're concatenating echo $PHP_SELF rather than just $PHP_SELF, which isn't necessarily helping. But just between me and you, life would be a lot easier if you simply did: echo 'form name=frmMovies method=post action=' . $PHP_SELF . ''; miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
Are you inside a function, having neglected to do global $PHP_SELF; ? miguel On Tue, 19 Mar 2002, Dr. Shim wrote: Strangley enough, $PHP_SELF is empty. Nothing appears when I do it the way Bob and you suggested, the action property equals . Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 19 Mar 2002, Dr. Shim wrote: Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; You're concatenating echo $PHP_SELF rather than just $PHP_SELF, which isn't necessarily helping. But just between me and you, life would be a lot easier if you simply did: echo 'form name=frmMovies method=post action=' . $PHP_SELF . ''; miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping Quotes in a String and Ending With A Quote
*screams, I'm such a newbie!!* I didn't know I had to declare $PHP_SELF with global before using it inside a function. Sorry! Works now! Thanks very much! =) Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Are you inside a function, having neglected to do global $PHP_SELF; ? miguel On Tue, 19 Mar 2002, Dr. Shim wrote: Strangley enough, $PHP_SELF is empty. Nothing appears when I do it the way Bob and you suggested, the action property equals . Miguel Cruz [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 19 Mar 2002, Dr. Shim wrote: Hmmm. How about this? echo form name=\frmMovies\ method=\post\ action=\ . echo $PHP_SELF . \; You're concatenating echo $PHP_SELF rather than just $PHP_SELF, which isn't necessarily helping. But just between me and you, life would be a lot easier if you simply did: echo 'form name=frmMovies method=post action=' . $PHP_SELF . ''; miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
