[KLUG Members] php and quotation marks

Lunitix lunitix at earthlink.net
Tue Sep 27 15:51:56 EDT 2005
Previous message: [KLUG Members] php and quotation marks
Next message: [KLUG Members] php and quotation marks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Seeing that I'm running my own environment, setting "gpc_magic_quotes 
on" makes all thing well.  Thanks.

Minding of Madness
Jon

bill wrote:
> On Mon, 2005-09-26 at 22:35, Lunitix wrote:
> 
>>Sorry.  I intended to include the code for the input/update page.
>>
>>$update=$_GET['update'];
>>$catnum=$_GET['jeop_catnum'];
>>$category=$_GET['jeop_category'];
>>$ques2=$_GET['jeop_ques2'];
>>$ans2=$_GET['jeop_ans2'];
>>$ques4=$_GET['jeop_ques4'];
>>$ans4=$_GET['jeop_ans4'];
>>$ques8=$_GET['jeop_ques8'];
>>$ans8=$_GET['jeop_ans8'];
>>$ques16=$_GET['jeop_ques16'];
>>$ans16=$_GET['jeop_ans16'];
>>$ques32=$_GET['jeop_ques32'];
>>$ans32=$_GET['jeop_ans32'];
>>$ques64=$_GET['jeop_ques64'];
>>$ans64=$_GET['jeop_ans64'];
>>$ques128=$_GET['jeop_ques128'];
>>$ans128=$_GET['jeop_ans128'];
>>$ques256=$_GET['jeop_ques256'];
>>$ans256=$_GET['jeop_ans256'];
>>
>>if ($update=='true') {
>>	$query="UPDATE single SET
>>	category='$category', ques2='$ques2', ans2='$ans2', ques4='$ques4', 
>>ans4='$ans4', ques8='$ques8', ans8='$ans8', ques16='$ques16', 
>>ans16='$ans16', ques32='$ques32', ans32='$ans32', ques64='$ques64', 
>>ans64='$ans64', ques128='$ques128', ans128='$ans128', 
>>ques256='$ques256', ans256='$ans256'
>>	WHERE catnum='$catnum' ";
>>} else {
>>	$query="INSERT INTO single ( catnum, category, ques2, ans2, ques4, 
>>ans4, ques8, ans8, ques16, ans16, ques32, ans32, ques64, ans64, ques128, 
>>ans128, ques256, ans256) VALUES ('$catnum', '$category', '$ques2', 
>>'$ans2', '$ques4', '$ans4', '$ques8', '$ans8', '$ques16', '$ans16', 
>>'$ques32', '$ans32', '$ques64', '$ans64', '$ques128', '$ans128', 
>>'$ques256', '$ans256')";
>>}
> 
> 
> Are you saying the code above doesn't work?
> 
> 
>>Lunitix wrote:
>>
>>>I, not too long ago, asked a question about quotation marks (") with php 
>>>and mysql.  The response was to add htmlspecialchars to my code.  
> 
> 
> Where did you add that?
> 
> 
>>That 
>>
>>>allows the quotation marks (") can now be used, but the flipside is that 
>>>single quotes (') now creates the errors that the double quotes did.
>>>
>>>How can I get both the single and double quotes to work?
> 
> 
> Single quotes (') are literal, double quotes (") handle variables.  
> 
> $sam  = 'buddy'; 
> $fred = "friend";
> $joe  = '$some guy'; joe is literally the dollar sign and "some guy"
> 
> 
> echo "$sam and $fred and $joe"; // will show all the values
> echo '$sam and $fred and $joe'; // will literally display the $names
> 
> When you nest quotes you have to be careful to match them.
> 
> "UPDATE single SET category='$category' ... "
> 
> Even though $category is in single quotes it will still work as expected
> because the whole thing is in double quotes.
> 
> If the value of $category has a single quote, it must be escaped.  Thus
> the value "O'malley" must become "O\'malley" to put it in the db.  You
> can have php do that for you whenever you do db inserts by setting
> gpc_magic_quotes on, or, what I prefer, do it yourself with "addslashes"
> when you check your data (you are checking your data, right?).
> 
> $category=addslashes($category);
> 
> That will handle quotes for you.
> 
> For displaying HTML, escaping is also the best solution.
> 
> echo "<p align="center">This is my paragraph</p>";
> 
> This will fail before the word -center- because the double quotes there
> will close the opening double quote at the beginning.  PHP thinks you're
> done quoting.  The rest of the clause then makes no sense to PHP.
> 
> echo "<p align=\"center\">This is my paragraph</p>";
> 
> That works, you've escaped the double quotes inside the clause.
> 
> You can try using single quotes, but you'll run into the same
>  problem.
> 
> echo '<p align='center'>This is my paragraph</p>';
> 
> The code above will fail before the word center, PHP thinks you're done
> quoting.
> 
> echo '<p align=\'center\'>This is my paragraph</p>';
> 
> That will work.
> 
> You can try alternating quotes and double quotes but you end up being
> more confused for each new clause (Do I start this time with a double
> quote or a single quote?).  Plus, your code starts getting weird because
> it is inconsistent.
> 
> htmlspecialchars isn't a great solution because it turns quotes (and
> other things) into non-meaningful symbols.
> 
> $mystring = htmlspecialchars ("<p align='center'>This is my
> paragraph</p>");
> 
> echo $mystring;
> 
> Now your HTML code doesn't work, it will look like your browser doesn't
> interpret it any more. (try it and see).  They're not meaningful symbols
> anymore so the browser can't interpret them, only display them.
> 
> Thus, put the results of your db in normal html, echo it out and escape
> your double quotes.
> 
> $dbval="0'malley";
> 
> echo "<p align=\"center\">$dbval</p>";
> 
> That will work and the single quote in O'malley won't bother anything.
> 
> kind regards,
> 
> bill
> 
> 
> 
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
> 
>
Previous message: [KLUG Members] php and quotation marks
Next message: [KLUG Members] php and quotation marks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Members mailing list