addslashes() confusion!

move3rd

Hi,

I re-typed my question! it's much more simple than Io first thought!

The script below fills a select box with all "artists" in my db:

// Fill Select Menu With Artists  

$select_artist = ""; 
while ($row = mysql_fetch_array($result)) 
{ 
     $select_artist .= "<option value='".$row['artist']."'>".$row['artist']."</option>";       

}

When I select the value "kev's" and sumit the form to this sciprt:

// Retrieve artist name from another page via $_POST
$artist = addslashes($_POST['artist']); 

echo "$artist";

$edit_profile_button = "<form name=\"profile\" method=\"post\" action=\"edit_profile.php\">
	                    View/Edit $artist Profile<input type='hidden' name='artist' value='$artist'>
                        <input type=\"submit\" name=\"Submit\" value=\"Profile\"></form>";					

$sql = "SELECT * FROM `cds` WHERE `artist` = '$artist'";

$result = mysql_query($sql);

// Report Db errors
if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
              }
// Report Nothing Found
if (mysql_num_rows($result) == 0) {
	echo "Could not find any CD's by ".$artist."! Please add a CD using the form below.";  

                                  }

it out puts kev not kevs! How can I stop this happening?

Thanks

move3rd

Deleted - The edited post above explains...

move3rd

Bump..

My first two posts where over complicated.

laserlight

You're using single quotes to enclose the variable in the value attribute.

You could fix it by using double quotes, or by using htmlspecialchars() with ENT_QUOTES

move3rd

laserlight to the rescue once again! Thanks 🙂

I changed my select box code to this:


// Fill Select Menu With Artists  

$select_artist = ""; 
while ($row = mysql_fetch_array($result)) 
{ 
     $select_artist .= "<option value=\"".$row['artist']."\">".$row['artist']."</option>";       

}

and the script the form is submit to like this: (removed addslashes)

// Retrieve artist name from another page via $_POST
$artist = $_POST['artist']; 

$edit_profile_button = "<form name=\"profile\" method=\"post\" action=\"edit_profile.php\">
	                    View/Edit $artist Profile<input type='hidden' name='artist' value='$artist'>
                        <input type=\"submit\" name=\"Submit\" value=\"Profile\"></form>";					

$sql = "SELECT * FROM `cds` WHERE `artist` = '$artist'";

$result = mysql_query($sql);

// Report Db errors
if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
              }
// Report Nothing Found
if (mysql_num_rows($result) == 0) {
	echo "Could not find any CD's by ".$artist."! Please add a CD using the form below.";  

                                  }

It now outputs:

Could not find any CD's by kev\'s! Please add a CD using the form below.

Is this somthing to with magic_quotes? Why is it adding the back slash?

laserlight

Yes, it does.

You can use stripslashes() on output as needed, of course.

move3rd

It outputs:

Could not find any CD's by kev\'s! Please add a CD using the form below.

(the back slash disapeard above?)

I just realised I need the slash there for the db query so I carnt use stripslashes.

Could you please explain why the back slash is there even though I didnt use addslsashes?

laserlight

When magic_quotes_gpc is set to On (and it is by default), data from GET, POST and COOKIE are escaped.

You dont need slashes for output, only when storing into the database, so that shouldnt be a problem.

move3rd

Thanks for clearing that up for me laserlight!