[KLUG Members] php and quotation marks

[Adam Tauno Williams]

> > Lunitix wrote:
> > > I, not too long ago, asked a question about quotation marks (") with php 
> > > and mysql.  The response was to add htmlspecialchars to my code.  
> Where did you add that?

That was for displaying to the client (I believe) not for inserting into
the databse.

> > > allows the quotation marks (") can now be used, but the flipside is that 
> > > single quotes (') now creates the errors that the double quotes did.

The Horde people's recommendations for quoting are here:
http://manuals.thexdershome.com/horde/horde-2.2/CODING_STANDARDS

These guys no more about HTML and PHP than just about anyone else.  I
try to stick to their recommendations.

> "UPDATE single SET category='$category' ... "

The horde people always use outer literal quotes and double quote
internally.

> Even though $category is in single quotes it will still work as expected
> because the whole thing is in double quotes.

Yep,  that is why it gets confusing.

> If the value of $category has a single quote, it must be escaped.  Thus
> the value "O'malley" must become "O\'malley" to put it in the db.  You
> can have php do that for you whenever you do db inserts by setting
> gpc_magic_quotes on, or, what I prefer, do it yourself with "addslashes"
> when you check your data (you are checking your data, right?).

Yes, do it yourself.  Magic quotes gets weird sometimes and even the PHP
people seem to discourage it these days.

> $category=addslashes($category);
> That will handle quotes for you.
> For displaying HTML, escaping is also the best solution.
> echo "<p align="center">This is my paragraph</p>";
> This will fail before the word -center- because the double quotes there
> will close the opening double quote at the beginning.  PHP thinks you're
> done quoting.  The rest of the clause then makes no sense to PHP.

Right use single outer quotes, always.

> echo "<p align=\"center\">This is my paragraph</p>";
> That works, you've escaped the double quotes inside the clause.
> You can try using single quotes, but you'll run into the same
>  problem.
> echo '<p align='center'>This is my paragraph</p>';
> The code above will fail before the word center, PHP thinks you're done
> quoting.
> echo '<p align=\'center\'>This is my paragraph</p>';
> That will work.
> You can try alternating quotes and double quotes but you end up being
> more confused for each new clause (Do I start this time with a double
> quote or a single quote?).  Plus, your code starts getting weird because
> it is inconsistent.
> htmlspecialchars isn't a great solution because it turns quotes (and
> other things) into non-meaningful symbols.
> $mystring = htmlspecialchars ("<p align='center'>This is my

Right, you shouldn't use htmlspecialchars for HTML, but for strings you
want to safely display without affecting the HTML context,

$yo = '</TD>';
printf('<TR><TD>%s</TD></TR>', htmlspecialchars($yo));

results in "<TR><TD>&lt;/TD&gt;</TD></TR>" to the browser and displays
the way you wanted it to.  

NEVER trust a string from a user, file, or database as something safe to
arbitrarily toss into an HTML document.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050927/ef2db06b/attachment.bin