Apostrophe in GET

Pigmaster

I am writing some code to phrase a text variable from a form and submit it to an MySQL table.

Text variable from form is...
John's

I use mysql_real_escape_string for the MySQL INSERT, however if there is a problem with the variable I then bounce back to the form via a url with ?fieldvar=
and then putting the valve of the variable next. This is to save the person from having to reenter the data.

I am suffering a problem if the variable has a single quote (apostrophe) in ie John's

What code do I need to enable the form filed to show John's and not get truncated.

I have tried addslashes, stripslashes even mysql_real_escape_string but nothing seems to work.

laserlight

First, check your PHP configuration in php.ini. magic_quotes_gpc should be set to Off. Then, make sure that you only use mysql_real_escape_string() on string values that will be used in the SQL statement. Values that will be printed in the HTML code should not be escaped with mysql_real_escape_string(), but with other functions like [man]htmlspecialchars/man.

Next, if you are using double quotes to quote value attributes in your HTML elements, then you should be covered by htmlspecialchars(). If you are using single quotes instead, then you need to provide the argument to escape single quotes as well. If you are not quoting at all, then you better start 😉

Pigmaster

laserlight;10886989 wrote:
First, check your PHP configuration in php.ini. magic_quotes_gpc should be set to Off. Then, make sure that you only use mysql_real_escape_string() on string values that will be used in the SQL statement. Values that will be printed in the HTML code should not be escaped with mysql_real_escape_string(), but with other functions like [man]htmlspecialchars/man.

OK, I understand this but still could not get it to work.

laserlight;10886989 wrote:
Next, if you are using double quotes to quote value attributes in your HTML elements, then you should be covered by htmlspecialchars(). If you are using single quotes instead, then you need to provide the argument to escape single quotes as well. If you are not quoting at all, then you better start 😉

I an not real sure what you mean here by quoting Laserlight.

I have included some php code that is the basis of what I am doing in a page called test.php, could you look and tell me if I am right or wrong and also about the quoting I would be most appreciated.
get_magic_quotes_gpc()) is off

<?php
function mySQLSafe($value, $quote="'") { 
	// strip quotes if already in
	$value = str_replace(array("\'","'"),"'",$value);

// Quote value
if(version_compare(phpversion(),"4.3.0")=="-1") {
	$value = mysql_escape_string($value);
} else {
	$value = mysql_real_escape_string($value);
}
$value = trim($value);
return $value; 
}

if (!isset($_POST['content_action'])) { 
	echo "<form id='form1' name='form1' method='post' action=''>";
	echo "<p>";
	if ((isset($_GET['post_error'])) && ($_GET['post_error'] == "meta_description")) {
		echo "<label>globalmetadescription: * Error *<br>";
		echo "<input type='text' name='meta_description' id='meta_description' value='".$_GET['meta_description']."' size='100' maxlength='254'>";
	} else {
		if (isset($_GET['meta_description'])) {
			echo "<label>globalmetadescription:<br>";
			echo "<input type='text' name='meta_description' id='meta_description' value='".htmlspecialchars($_GET['meta_description'])."' size='100' maxlength='254'>";
		} else {
			echo "<label>globalmetadescription:<br>";
			echo "<input type='text' name='meta_description' id='meta_description' value='None' size='100' maxlength='254'>";
		}
	}
	echo "</label>";
	echo "</p>";
	echo "<p>adsdb</p>";
	echo "<input name='content' type='hidden' id='content' value='".$_GET['content']."' />";
	echo "<input name='content_action' type='hidden' id='content_action' value='Wizzy' />";
	echo "<input type='submit' name='submit' id='submit' value='submit'>";
	echo "</form>";
} else {
	$post_error = "None";
	if(isset($_POST['content']) && $_POST['content'] !='') {
		$returned_error = "?content=".$_POST['content'];
	} else {
		$post_error = "content";
		$returned_error = "?content=".$_POST['content'];
	}
	if(isset($_POST['meta_description']) && $_POST['meta_description'] !='') {
		$meta_description =  mySQLSafe($_POST['meta_description']) ;
		$returned_error .= "&meta_description=".$_POST['meta_description'];
	} else {
		$post_error = "meta_description";
		$returned_error .= "&meta_description=".$_POST['meta_description'];
	}
	if ($post_error != "None") {
		header( "Location: http://localhost/scams/test.php".$returned_error."&post_error=".$post_error);
	} else {
		echo "<p class ='headline'>Database Updated Code Here<br>";
	}
}

laserlight

get_magic_quotes_gpc()) is off

magic_quotes_gpc is off? Great! 🙂

I have included some php code that is the basis of what I am doing in a page called test.php, could you look and tell me if I am right or wrong and also about the quoting I would be most appreciated.

Now, since magic_quotes_gpc is off, your "strip quotes if already in" part is wrong. You do not need to strip slashes since no slashes would have been added in the first place. Those slashes that do exist are legitimate and should not be removed.

Therefore, I would expect something like this:

function mySQLSafe($value) {
	// Quote value
	if(version_compare(phpversion(),"4.3.0")=="-1") {
		$value = mysql_escape_string($value);
	} else {
		$value = mysql_real_escape_string($value);
	}
	return trim($value);
}

Note that trim() returns a value, so I have fixed that in the above example. Incidentally, you might want to make life simpler and just require a minimum of PHP 4.3.0 instead of doing that version check, especially since the entire PHP 4 release series is obsolete.

Next, let's examine this line:

echo "<input type='text' name='meta_description' id='meta_description' value='".htmlspecialchars($_GET['meta_description'])."' size='100' maxlength='254'>";

You escaped $_GET['meta_description'] for printing as HTML. This is correct, though unfortunately you failed to do this in some other lines. However, there is a catch: by default, htmlspecialchars() does not escape single quotes. But you are using single quotes to quotes the attribute value (value='".htmlspecialchars($GET['meta_description'])."'). This mean that if $GET['meta_description'] contains the value "John's thing", the attribute will come out as "value='John's thing'". See the problem? A forgiving HTML parser will parse that as "value='John' and ignore the rest, and this causes the truncation that you encountered.

One solution to this problem is to use double quotes to quote instead:

echo '<input type="text" name="meta_description" id="meta_description" value="' . htmlspecialchars($_GET['meta_description']) . '" size="100" maxlength="254">';

This is what I prefer. However, another solution is to specify that you want htmlspecialchars() to escape single quotes as well:

echo "<input type='text' name='meta_description' id='meta_description' value='" . htmlspecialchars($_GET['meta_description'], ENT_QUOTES) . "' size='100' maxlength='254'>";

Pigmaster

laserlight;10887043 wrote:
This is what I prefer. However, another solution is to specify that you want htmlspecialchars() to escape single quotes as well:
echo "<input type='text' name='meta_description' id='meta_description' value='" . htmlspecialchars($_GET['meta_description'], ENT_QUOTES) . "' size='100' maxlength='254'>";

I tried you suggestions Laserlight, but I keep getting \\' eg for john's I get john\\'s

I did not think this was going to confuse me but I have been struggling with this simple code for 48hrs now.

Being in Singapore, are you going to see the GP next week?

laserlight

I tried you suggestions Laserlight, but I keep getting \\' eg for john's I get john\\'s

That implies that magic_quotes_gpc is on, despite your claim to the contrary. Actually, there's more: if magic_quotes_gpc was on, you should get john\'s not john\\'s.

As it stands, I think that you have magic_quotes_gpc on and are accidentally printing the return value of mySQLSafe().

Actually, if you want to save submitted form values, do something like this:

<?php
function printAttributeValue($name) {
	if (isset($_POST[$name])) {
		echo ' value="' . htmlspecialchars($_POST[$name]) . '"';
	}
}
?>

// ...

<input type="text" name="foo"<?php printAttributeValue('foo'); ?> />

This is better than your current method of trying to duplicate the submitted values in the query string.

Being in Singapore, are you going to see the GP next week?

No, too expensive.