Hey, how are you.
Here's some things to remember when working with forms and databases and stuff.
If you want to display text inside a tag ie. <input type=text value="my text here"> you need to make sure you use htmlentitiles() so any weird characters such as ' and > < etc don't stuff up the tag.
so do this:
<?
echo "<td><input type='text' name='Q1[]' value='" . htmlentities($s) . "'></td>"
?>
this will display the text properlly.
Next, when you submit a form any data submitted, will have the quotes prepended with a slash /.
so... first you need to strip the slashes out using stripslashes();
eg:
<?
$sText = stripslashes($_POST["sText"]);
?>
Then to insert text into a database, any text with quotes in need to be escaped, so they don't stuff the query up.
but... it depends on your string. like:
<?
$sQuery = "jfdlksjf dls ' \" jflkdasj fldjsa";
?>
querys contained in double quotes " need to have any extra " characters escaped prolly using \".
but if you like to use ' characters to hold your strings you need to escape any extra ones of them out:
<?
$sQuery = 'jfldjsalfkjdsal \' jflk dasjflkd saj " jfldksajf ';
?>
to do that we can just use addslashes();
now... another problem is that you also need to escape the quotes used in the SQL statement itself. Usually you do this by either using addslashes() or could be that you may need to espcape the quotes by prepending it with another quote. Just depends on the database. MySQL and Oracle you have to do this anyway.
Eg:
insert into table (field, field2) values (' jlfdj as'' jfklds a', 'jfld sa'' jflsd');
or
insert into table (field, field2) values (" jlfdj as"" jfklds a", "jfld sa"" jflsd");
So.. this can all be confusing. Pretty much the best option is to stick to a standard. I always use double quotes in php to hold strings that are going to contain SQL text, and in sql, I use single quotes to do stuff.
eg:
<?
$sQuery = "insert into table (field, field2) values (' jlfdj as'' jfklds a', 'jfld sa '' jflsd');";
?>
So here's a good function that I use to do all of this in one: As long as you use " for php strings and ' for SQL stuff. Just apply it to any form variables that you're going to use in your SQL query:
<?
//Replace all \' with ''
//Leave \" as is so it doesn't break up the $sql = " ... "
function fixQuotes($sContent = "") {
//Replace leading slashes on quotes with just two single quotes
//Sql query escape character is prepending another single or double quote
//on to the quote depending on what the quote is (double or single).
//Since we are using single quotes in sql statements for strings, we need to double all single quotes.
$sContent = ereg_replace("'","''",$sContent);
// Replace \'' with ''
while (eregi("\\\\'", $sContent)) {
$sContent = ereg_replace("\\\\'","'",$sContent);
}
return $sContent;
}
?>
$sText = fixQuotes($_POST["sText"]);
$sQuery = "insert into table(field) values ('" . $sText . "');";
hope that was useful to you or someone and I didn't write to much silly stuff lol. I just remember being stuck on this when I first started and it sucked not being able to work out what was going on.
well, cya man.
-Adam 🙂
