[KLUG Members] php and quotation marks

bill bill at billtron.com
Tue Sep 27 09:44:36 EDT 2005
Previous message: [KLUG Members] php and quotation marks
Next message: [KLUG Members] php and quotation marks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2005-09-26 at 22:35, Lunitix wrote:
> Sorry.  I intended to include the code for the input/update page.
> 
> $update=$_GET['update'];
> $catnum=$_GET['jeop_catnum'];
> $category=$_GET['jeop_category'];
> $ques2=$_GET['jeop_ques2'];
> $ans2=$_GET['jeop_ans2'];
> $ques4=$_GET['jeop_ques4'];
> $ans4=$_GET['jeop_ans4'];
> $ques8=$_GET['jeop_ques8'];
> $ans8=$_GET['jeop_ans8'];
> $ques16=$_GET['jeop_ques16'];
> $ans16=$_GET['jeop_ans16'];
> $ques32=$_GET['jeop_ques32'];
> $ans32=$_GET['jeop_ans32'];
> $ques64=$_GET['jeop_ques64'];
> $ans64=$_GET['jeop_ans64'];
> $ques128=$_GET['jeop_ques128'];
> $ans128=$_GET['jeop_ans128'];
> $ques256=$_GET['jeop_ques256'];
> $ans256=$_GET['jeop_ans256'];
> 
> if ($update=='true') {
> 	$query="UPDATE single SET
> 	category='$category', ques2='$ques2', ans2='$ans2', ques4='$ques4', 
> ans4='$ans4', ques8='$ques8', ans8='$ans8', ques16='$ques16', 
> ans16='$ans16', ques32='$ques32', ans32='$ans32', ques64='$ques64', 
> ans64='$ans64', ques128='$ques128', ans128='$ans128', 
> ques256='$ques256', ans256='$ans256'
> 	WHERE catnum='$catnum' ";
> } else {
> 	$query="INSERT INTO single ( catnum, category, ques2, ans2, ques4, 
> ans4, ques8, ans8, ques16, ans16, ques32, ans32, ques64, ans64, ques128, 
> ans128, ques256, ans256) VALUES ('$catnum', '$category', '$ques2', 
> '$ans2', '$ques4', '$ans4', '$ques8', '$ans8', '$ques16', '$ans16', 
> '$ques32', '$ans32', '$ques64', '$ans64', '$ques128', '$ans128', 
> '$ques256', '$ans256')";
> }

Are you saying the code above doesn't work?

> 
> Lunitix wrote:
> > I, not too long ago, asked a question about quotation marks (") with php 
> > and mysql.  The response was to add htmlspecialchars to my code.  

Where did you add that?

> That 
> > allows the quotation marks (") can now be used, but the flipside is that 
> > single quotes (') now creates the errors that the double quotes did.
> > 
> > How can I get both the single and double quotes to work?

Single quotes (') are literal, double quotes (") handle variables.  

$sam  = 'buddy'; 
$fred = "friend";
$joe  = '$some guy'; joe is literally the dollar sign and "some guy"


echo "$sam and $fred and $joe"; // will show all the values
echo '$sam and $fred and $joe'; // will literally display the $names

When you nest quotes you have to be careful to match them.

"UPDATE single SET category='$category' ... "

Even though $category is in single quotes it will still work as expected
because the whole thing is in double quotes.

If the value of $category has a single quote, it must be escaped.  Thus
the value "O'malley" must become "O\'malley" to put it in the db.  You
can have php do that for you whenever you do db inserts by setting
gpc_magic_quotes on, or, what I prefer, do it yourself with "addslashes"
when you check your data (you are checking your data, right?).

$category=addslashes($category);

That will handle quotes for you.

For displaying HTML, escaping is also the best solution.

echo "<p align="center">This is my paragraph</p>";

This will fail before the word -center- because the double quotes there
will close the opening double quote at the beginning.  PHP thinks you're
done quoting.  The rest of the clause then makes no sense to PHP.

echo "<p align=\"center\">This is my paragraph</p>";

That works, you've escaped the double quotes inside the clause.

You can try using single quotes, but you'll run into the same
 problem.

echo '<p align='center'>This is my paragraph</p>';

The code above will fail before the word center, PHP thinks you're done
quoting.

echo '<p align=\'center\'>This is my paragraph</p>';

That will work.

You can try alternating quotes and double quotes but you end up being
more confused for each new clause (Do I start this time with a double
quote or a single quote?).  Plus, your code starts getting weird because
it is inconsistent.

htmlspecialchars isn't a great solution because it turns quotes (and
other things) into non-meaningful symbols.

$mystring = htmlspecialchars ("<p align='center'>This is my
paragraph</p>");

echo $mystring;

Now your HTML code doesn't work, it will look like your browser doesn't
interpret it any more. (try it and see).  They're not meaningful symbols
anymore so the browser can't interpret them, only display them.

Thus, put the results of your db in normal html, echo it out and escape
your double quotes.

$dbval="0'malley";

echo "<p align=\"center\">$dbval</p>";

That will work and the single quote in O'malley won't bother anything.

kind regards,

bill
Previous message: [KLUG Members] php and quotation marks
Next message: [KLUG Members] php and quotation marks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Members mailing list