Displaying text with quotes

julianna_jay

I have a site where users are inputting specs on beds. An example of what they might input would be:

1 1/2" SuperSoft Convolute Foam

This inserts into the database correctly. The problem I am having is trying to display it on an edit screen. They choose the bed and it comes up with all the text boxes already filled in with the information. When I want to display info that contains a quote (") it ends where that quote is. What I will see in the text box is:

1 1/2

I have a function which I pass a table name, field name I want displayed as well as the id and the field to compare the id against.

The html is as follows when it is being displayed:

<td colspan="6"><input name="upholstery2" type="text" id="upholstery2" value="<?=get_info(upholstery2,beds,$bed_id,bed_id); ?>" maxlength="70">

What do I need to do to make the quote in the info display? Is there something I need to do to the php in the html or something in the function before returning it? It displays fine if it's not in a text box. I would really appreciate any help.

Thanks,
Julianna.

KendersPlace

Try putting a backslash \ directly in front of the quotes.

Look in the php manual about escape characters and how to use them to get different values. That's going to be the key to what you're doing. I've never done this before, but have a basic idea of how it would work.

Here is the idea as I understand it......

Get the passed in value from the submission form the user has filled out (the field that is likely to contain a quote).

Use some of the php string functions to parse the supplied value, and replace any occurances of " with \". Aslo note that when you specify to the php string function that it is looking for a " quote, you will have to specify this quote using the backslash first.

Also, when specifying that it should replace the quote with a "backslash-quote", you will also need to escape the backslash also by putting 2 back slashes side by side.

Not sure of the exact php function you'd use to make the replacement, but here' s a general idea of how it may be written.
Ex: replace($passed_string, "\"", "\"");

suntra

When you write data in a database, you should use mysql_escape_string()...

mcgruff

I think you might want to use htmlspecialchars().

I always do this to vars from forms:

htmlspecialchars(addslashes(trim($_POST['var'])));

stripslash 'em on the way out of the db.

RedDragon

have a look at the stripslashes and the addslashes function

laserlight

Actually, it probably is better to escape the quotes when storing, then use htmlspecialchars() on output, hence RedDragon's suggestion to read addslashes() and stripslashes()

You might have to check for magic_quotes_gpc as it could affect your use of addslashes()

mystrymaster

so in my add or update to a database I would use

htmlspecialchars(addslashes(trim($_POST['var'])));

and then when I output it as text I would use

htmlspecialchars(stripslashes(trim($var])));

Is that right?

julianna_jay

I got it. You guys are the best! 🙂

mcgruff

Originally posted by laserlight
Actually, it probably is better to escape the quotes when storing, then use htmlspecialchars() on output

I like to do as much processing on input as possible: my thinking being that data is input once but viewed many times, hence it seems more efficient this way.

Just ignore me if this sounds a bit picky but I can't help wondering if I've missed something.

Weedpacket

The only drawback to using htmlspecialchars() on input is that it assumes you won't be wanting to use the data anywhere else. 'Cos if you did, you'd have to unhtmlspecialchars() it before it could be used.

mcgruff

I assumed that the data is going to be retrieved for display in a web browser - should maybe have made that clear.

In this case, htmlspecialchars() on the way in means that <> become & l t and & g t which will display as <> in the browser but won't allow any naughtiness like <script> to run.

For anything else rgr I think I see your point. Doing it on the way out means that you wouldn't have to un-htmlspecialchars if you were writing a csv file eg. I guess it would depend on exactly what you're doing which way is most efficient overall.

Thanks.