What would I do without you folks! I hope I learn enough so I can eventually pay it forward. But in the meantime...

OK here's the problem:

I'm creating a dynamic select list that ends up pulling items from the data base that contain an apostrophe (as in the word "Alzheimer's").

so php generates the following html:

<option value='aging'>aging</option>
<option value='Alzheimer's'>Alzheimer's</option>
<option value='antacids'>antacids</option> 
....

Of course when "Alzheimer's" is sent as a variable it mucks up the works and destroys the query I'm sending it to.

Now I know if I was to create the option manually, I'd escape the ' with a slash. Is there a way to escape it programatically as I'm pulling it from the database to populate the select list?

Or do I have to change the stuff in the data base so that it pre-escaped?

(I'm feeling like maybe I have a touch of Alzheimer's) :queasy:

    have a look at

    addslashes()
    stripslashes()
    mysql_real_escape_string()

      double quote you're html attributes, and apply mysql_real_escape_string() to the variables being inserted in to the db.

        As dagon pointed out, make sure you're sanitizing user-supplied data (all user-supplied data, at that!) when INSERT'ing it into the database.

        As for outputting data from a SQL db into an HTML document, I actually have a different suggestion than those above. In this case, I personally would run the SQL-supplied data through [man]htmlspecialchars/man before placing it into HTML code such as an OPTION element to ensure that I don't inadvertently break the HTML's syntax while using external data.

          Thanks to you all folks.
          This may take a while (and be assured when I sort out my problem I'll resolve the thread). I'm experimenting with all of this in between learning (or trying to learn) tons of other stuff at lightning speed.

          rikmoncur Thanks for the quick answer!

          dagon, You picked up on the sign of how clueless I am. Your point about double quoting my html attributes is well taken. I would ordinarily double quote html attributes when writing it by hand, but wasn't thinking about how the single quote in my php would go bad when it encountered the single quote in the variable. Of course the easy answer is to escape the double quotes in my php not the single quote in Alzheimer's.. doh!

          Now that the form is passing the whole word with the apostrophe I'm off to figure out how to manage it when it gets passed to the form processor and the db. So far I keep getting mysql errors when trying to use mysql_real_escape_string(). Though a connection is there and working, it complains that the function has been denied access. Obviously, I need to do some more figuring out on that one.

          bradgrafelman THEN I will see what htmlspecialchars() can do for me. While checking data in this instance is not particularly important, it would be nicer not to worry about the odd character slipping in (not to mention I am aware of the problems of code injection and such and will want to be sure to learn enough to protect the data before sending anything into production).

          I can't tell you all how much I appreciate you putting up with this newbie.

            OK, now comes the problem with mysql_real_escape_string()

            This is the warning I get

            Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO)

            I quickly realized that I'm not connected to the db using SYSTEM so I changed the privileges table in mysql to include SYSTEM and tried creating a connection using that user and password before calling the method.

            No go.

            I'm going to google it some more, but any help would be appreciated.

              You need to do your mysql_connect() before using mysql_real_escape_string().

                Yes, I did. I ran the call for the connection on the line before I called the mysql_real_escape_string() function. I even tested it by dropping a query on the same page. The query runs and I get a response. It is only the mysql_real_escape_string() that throws the error.

                  Can you show us the code that includes the call to mysql_connect (don't forget to remove your DB credentials) as well as where you're trying to escape data?

                    you are using mysql and not maybe mysli? I don't see you posting what db or Extension you are using.

                      Dagon, you were so right. I added a connection to mysql and the error vanished. HOWEVER, I'm still getting an error when passing the word with a single quote/apostrophe to the query. My guess is that I don't clearly understand how the mysql_real_escape_string function is supposed to work.

                      I guess there's nothing left but to show off my wimpy code with the error. It works perfectly unless the word passed to the query has an apostrophe.

                      Error:

                      Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in C:\wamp\www\show_arts_key.php on line 15

                      Code:

                      $key_req = $_POST['key_req']; 
// mysql connection
require_once('Connections/sqlnoi.php');
mysql_real_escape_string($key_req);
// mysqli connection
require_once('Connections/local.php');
$query_keys = "SELECT titles.title, titles.year, keywords.keyword
	FROM keywords INNER JOIN (titles INNER JOIN keywordarticle
	ON titles.articleID=keywordarticle.articleID
	AND keywordarticle.keywordID = '$key_req')
	ON keywords.keyword=keywordarticle.keywordID";
$result = mysqli_query ($cxn,$query_keys);
echo "<h2>" . $key_req ."</h2>\n<ul>";
while($row = mysqli_fetch_assoc($result)){
	$title = $row['title'];
	echo "<li>".$title."</li>";
}
echo "</ul>"

                        Big stupid me... I got it working.

                        New code:

                        // mysql connection
require_once('Connections/sqlnoi.php');
$escapekey = mysql_real_escape_string($key_req);
// mysqli connection
require_once('Connections/local.php');
$query_keys = "SELECT titles.title, titles.year, keywords.keyword
FROM keywords INNER JOIN (titles INNER JOIN keywordarticle
		ON titles.articleID=keywordarticle.articleID
		AND keywordarticle.keywordID = '$escapekey')
		ON keywords.keyword=keywordarticle.keywordID";
$result = mysqli_query ($cxn,$query_keys);
echo "<h2>" . $key_req ."</h2>\n<ul>";
while($row = mysqli_fetch_assoc($result)){
	$title = $row['title'];
	echo "<li>".$title."</li>";
}
echo "</ul>"

                        THANKS ALL

                          If you're using the MySQLi library, you should be using [man]mysqli_real_escape_string/man...

                            Thanks... yep... I did finally figure that out. So finally:

                            $key_req = $_POST['key_req']; 
require_once('Connections/local.php');
$key_req = mysqli_real_escape_string($cxn,$key_req);
$query_keys = "SELECT titles.title, titles.year, keywords.keyword
		FROM keywords INNER JOIN (titles INNER JOIN keywordarticle
		ON titles.articleID=keywordarticle.articleID
		AND keywordarticle.keywordID = '$key_req')
		ON keywords.keyword=keywordarticle.keywordID";
$result = mysqli_query ($cxn,$query_keys);
echo "<h2>" . stripslashes($key_req) ."</h2>\n<ul>";
while($row = mysqli_fetch_assoc($result)){
		$title = $row['title'];
		echo "<li>".$title."</li>";
}
echo "</ul>"

                            Again. Thanks to all of you. I'll probably be stumbling in here a bit as I feel my way around.

                              Write a Reply...