abinidi Posted December 22, 2005 Posted December 22, 2005 I'm collecting recipes, and I've created a form in HTML. Users click on a "preview" button to check out their response before they click on a submit button to enter it in the database. Everything works perfectly except when users put an apostrophe in one of the form fields. Say for example, I'm entering my famous pancake recipe. I use the recipe title: Paul's famous pancakes On the preview page, the output is shown as: Paul\'s famous pancakes. In order to get that variable to the next page where I do the entering of the data into the database, I pass the variable as a hidden value in a form so when it POSTs to the next page I can just use the same variable over again. But when you look at the data that is inserted into the database, it is cutting off everything after the "l" in Paul. I tried using the $variable = str_replace("\'","'",$variable); command, but it doesn't seem to be working for me. Anybody have any suggestions on what I should do? I can post my code, if necessary... Quote
abinidi Posted December 22, 2005 Author Posted December 22, 2005 I don't know what the best solution was, but here is what I did. I noticed that on my preview page any apostrophes were coming out as being escaped, so I'd get: Paul\'s famous pancakes. So on that preview page, I added the following code to all the fields that allow text: >$variableName = str_replace("\'","'",$variableName); echo $variableName; $variableName= str_replace("'","",$variableName); This converted the \' to a normal apostrophe, so when they were previewing it, it looked right to them. Then it removed all apostrophes from the text, and the data is stored in the database without apostrophes. This works fine for me, because I'm going to extract the data from the database and put it in a book. I'm not going to display it online. However, I'm not sure what the solution would be if I wanted to display the data online, because in that case, you'd want to leave the apostrophes in the text. I'm just not experienced enough with PHP to understand how it is escaping my characters automatically in order to correct it when you pass the variable from one page to a second page as a variable, then store it again as a variable to pass to a third page. I hope that made sense. Quote
stevesh Posted December 22, 2005 Posted December 22, 2005 I'm no programmer, either, but... From the Phorm (www.phorm.com) forums: $Message = stripslashes($Message); where $Message is the field name Seems this has something to do with 'Magic Quotes' being turned on in the PHP config on the server The Phorm forums have a lot of very useful info about sending form data, and the program itself is very good. Steve Quote
borfast Posted December 23, 2005 Posted December 23, 2005 (edited) Paul, take a look at addslashes() Edited December 23, 2005 by borfast Quote
wayne Posted December 24, 2005 Posted December 24, 2005 $value_var = stripslashes ($value_var); Use to remove slash to display data on a web page. $value_var = addslashes ($value_var); Use to add the slash back to put data to a database. The slash is used to escape the apostrophe otherwise the apostrophe signifies end of the string and you only get Paul in the database instead of Paul's wayne Quote
surefire Posted December 26, 2005 Posted December 26, 2005 (edited) mysql real escape string http://us2.php.net/manual/en/function.mysq...cape-string.php Edited December 26, 2005 by surefire Quote
Leprakawn Posted May 21, 2008 Posted May 21, 2008 >$variableName = str_replace("\'","'",$variableName); echo $variableName; $variableName= str_replace("'","",$variableName); I hope that made sense. Paul: I tried your suggestion; however, I think I am putting it in the wrong spot. >$variableName = str_replace("\'","'",$variableName); echo $variableName; $variableName= str_replace("'","",$variableName); $main_type = 'contact'; $message = (string) ''; $message.= " Name: " . $_POST['name'] . " Email: " . $_POST['email'] . " Phone: " . $_POST['AreaCode'] . "." . $_POST['Prefix'] . "." . $_POST['Numero'] . " Type: " . $_POST['inquiry_type'] . " Response method: " . $_POST['respond'] . " Comments: " . $_POST['comments'] . " I just dumped it there thinking that was the most likely place it should go... but it is not working. Can you please say where to place it? Many thanks!! Quote
panasonic Posted November 27, 2008 Posted November 27, 2008 Hi Guys, I'm sure you've all but forgotten this string... but it was useful to me today and I thought I'd reciprocate with a little thing I realized. I too was previewing the information before entering into the database and went crazy trying to deal with apostrophes and quotations in the preview string and then getting them into the database. I was trying to string_replace the "'" at one point and it didn't work so your idea of doing it to the whole "\'" escaped apostrophe (because of the magic quote situation) let me realize I could replace it with the html code for an apostrophe! this works: // first we'll fix the magic quotes problem with the apostrophe $description = str_replace("\'"," 8217;",$description); // then pick up all the old values to pass to database on next submit echo "<input type='hidden' name='description' value='$description'>"; Notice I put a space in the middle of the html code for apostrophe so that you would see the code instead of the apostrophe it displays! Be sure to take that space back out if you try to use this little snippet. So... whoever is next to find this string - enjoy! PM Quote
TCH-Bruce Posted November 27, 2008 Posted November 27, 2008 Welcome to the forums panasonic And thank you for the input. Quote
OJB Posted November 27, 2008 Posted November 27, 2008 (edited) I would say don't use str_replace... it is pretty slow in comparison to other functions. Just use the built in mysql_real_escape_string($string_to_escape) when saving to the db. If they are returning slashes then use stripslashes($string_to_strip) or even preg_replace("/\\\'/","'", $string_to_strip); - preg_replace is much quicker than str_replace and much more efficient. Edit: missed off a backslashes from the regular expression in preg_replace also... just to show you how they work: give these a go: ><?php // String with slash $string = "Paul\'s famous pancakes"; // Print the string echo $string; // Print the string after stripslashes() echo '<br/>'.stripslashes($string); // Use preg_replace to strip the slashes $string = preg_replace("/\\\'/","'", $string); // Print the stripped string echo '<br/>'.$string; ?> this results in: >Paul\'s famous pancakes Paul's famous pancakes Paul's famous pancakes Edited November 27, 2008 by OJB Quote
OJB Posted November 28, 2008 Posted November 28, 2008 ^^^ Having just checked, it appears I got it confused. preg_replace is quicker when you are doing complex things like regular expressions pattern matching and replacement, for a simple character change in a string str_replace is just as quick if not quicker. So you can use all of the methods mentioned... apologies for confusing the matter... Quote
carbonize Posted December 3, 2008 Posted December 3, 2008 Just a cut down example of how Lazarus now deals with it >if (get_magic_quotes_gpc()) // Check if server is adding slashes to submitted data and if so strip them { $this->name = stripslashes($this->name); $this->location = stripslashes($this->location); } // Now that we have slashless variables we can add slashes $this->name = mysql_real_escape_string($this->name); $this->location = mysql_real_escape_string($this->location); Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.