carbonize Posted August 8, 2006 Posted August 8, 2006 (edited) OK I am trying to add a search function to Lazarus. Al is working fine except where single quotes are concerned. At present it accepts both POST and GET data with POST coming last. Anyway if you submit a ' via POST all is fine. I then pass the search string to urlencode before adding it to the end of pagination links. That works fine with ' becoming %27. I decode when I turn the GET into a standard variable and thats fine as it becomes \'. I strip slashes if needed then pass to htmlspcialchars. It keeps converting the ' into & #039 even with ENT_COMPAT set which according to php.net The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated. Apart from that my search function is fine so any ideas or am I going to have to use a hack fix and convert ' to & #039 myself in the code. BTW this damn forum is stupid. It converts & #039 into ' but leaves & alone. Edited August 8, 2006 by carbonize Quote
TweezerMan Posted August 8, 2006 Posted August 8, 2006 Based on my testing, using htmlspecialchars() with any of the quote style constants (or none of them) works as described in the PHP documentation. I wrote the following script and tested it on my server: ><?php header('Content-Type: text/plain'); echo 'ENT_COMPAT = ' . ENT_COMPAT . "\n"; echo 'ENT_QUOTES = ' . ENT_QUOTES . "\n"; echo 'ENT_NOQUOTES = ' . ENT_NOQUOTES . "\n"; echo "\n"; $text = 'one \' two " three &'; echo "Encoding special characters in string [$text]:\n"; echo 'DEFAULT: ' . htmlspecialchars($text) . "\n"; echo 'ENT_COMPAT: ' . htmlspecialchars($text, ENT_COMPAT) . "\n"; echo 'ENT_QUOTES: ' . htmlspecialchars($text, ENT_QUOTES) . "\n"; echo 'ENT_NOQUOTES: ' . htmlspecialchars($text, ENT_NOQUOTES) . "\n"; ?> The script displays the following results: >ENT_COMPAT = 2 ENT_QUOTES = 3 ENT_NOQUOTES = 0 Encoding special characters in string [one ' two " three &]: DEFAULT: one ' two " three & ENT_COMPAT: one ' two " three & ENT_QUOTES: one ' two " three & ENT_NOQUOTES: one ' two " three & Each of the quote style constants is being properly evaluated by PHP, and when used in htmlspecialchars(), each quote style constant is encoding the correct characters. It's hard to say what's going on without seeing the code and/or a concrete example, but it doesn't look like it's due to htmlspecialchars() not handling ENT_COMPAT correctly. Quote
carbonize Posted August 9, 2006 Author Posted August 9, 2006 (edited) No after some more testing the bug is errr bizarre. I now have both POST and GET to work exactly the same. Slashed are stripped, it's passed to htmlspecialchars etc. But for some reason the ' from a GET request is converted but not from a POST request. Here are the code snippets. First one is getting the variables from the requests. >$gb->searchfield = (isset($_GET['searchfield'])) ? $_GET['searchfield'] : ''; $gb->searchtext = (isset($_GET['searchtext'])) ? urldecode($_GET['searchtext']) : ''; $gb->searchfield = (isset($_POST['searchfield'])) ? $_POST['searchfield'] : $gb->searchfield; $gb->searchtext = (isset($_POST['searchtext'])) ? urldecode($_POST['searchtext']) : $gb->searchtext; Here is where I handle it. >if (get_magic_quotes_gpc()) { $this->searchtext = stripslashes($this->searchtext); } $this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT); $this->searchquery = ' AND '.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\''; $this->searchquery2 = ' AND x.'.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\''; $this->searchtext = urlencode($this->db->undo_htmlspecialchars($this->searchtext)); $this->postsearch = '<input type="hidden" name="searchfield" value="'.$this->searchfield.'"> <input type="hidden" name="searchtext" value="'.$this->searchtext.'">'; $this->getsearch = '&searchfield='.$this->searchfield.'&searchtext='.$this->searchtext; I did some testing by having it echo the searchtext at various points and it's definately after $this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT) that the ' is getting cinverted. Edited August 9, 2006 by carbonize Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.