[KLUG Members] php and quotation marks
Lunitix
lunitix at earthlink.net
Tue Sep 27 15:51:56 EDT 2005
Seeing that I'm running my own environment, setting "gpc_magic_quotes
on" makes all thing well. Thanks.
Minding of Madness
Jon
bill wrote:
> On Mon, 2005-09-26 at 22:35, Lunitix wrote:
>
>>Sorry. I intended to include the code for the input/update page.
>>
>>$update=$_GET['update'];
>>$catnum=$_GET['jeop_catnum'];
>>$category=$_GET['jeop_category'];
>>$ques2=$_GET['jeop_ques2'];
>>$ans2=$_GET['jeop_ans2'];
>>$ques4=$_GET['jeop_ques4'];
>>$ans4=$_GET['jeop_ans4'];
>>$ques8=$_GET['jeop_ques8'];
>>$ans8=$_GET['jeop_ans8'];
>>$ques16=$_GET['jeop_ques16'];
>>$ans16=$_GET['jeop_ans16'];
>>$ques32=$_GET['jeop_ques32'];
>>$ans32=$_GET['jeop_ans32'];
>>$ques64=$_GET['jeop_ques64'];
>>$ans64=$_GET['jeop_ans64'];
>>$ques128=$_GET['jeop_ques128'];
>>$ans128=$_GET['jeop_ans128'];
>>$ques256=$_GET['jeop_ques256'];
>>$ans256=$_GET['jeop_ans256'];
>>
>>if ($update=='true') {
>> $query="UPDATE single SET
>> category='$category', ques2='$ques2', ans2='$ans2', ques4='$ques4',
>>ans4='$ans4', ques8='$ques8', ans8='$ans8', ques16='$ques16',
>>ans16='$ans16', ques32='$ques32', ans32='$ans32', ques64='$ques64',
>>ans64='$ans64', ques128='$ques128', ans128='$ans128',
>>ques256='$ques256', ans256='$ans256'
>> WHERE catnum='$catnum' ";
>>} else {
>> $query="INSERT INTO single ( catnum, category, ques2, ans2, ques4,
>>ans4, ques8, ans8, ques16, ans16, ques32, ans32, ques64, ans64, ques128,
>>ans128, ques256, ans256) VALUES ('$catnum', '$category', '$ques2',
>>'$ans2', '$ques4', '$ans4', '$ques8', '$ans8', '$ques16', '$ans16',
>>'$ques32', '$ans32', '$ques64', '$ans64', '$ques128', '$ans128',
>>'$ques256', '$ans256')";
>>}
>
>
> Are you saying the code above doesn't work?
>
>
>>Lunitix wrote:
>>
>>>I, not too long ago, asked a question about quotation marks (") with php
>>>and mysql. The response was to add htmlspecialchars to my code.
>
>
> Where did you add that?
>
>
>>That
>>
>>>allows the quotation marks (") can now be used, but the flipside is that
>>>single quotes (') now creates the errors that the double quotes did.
>>>
>>>How can I get both the single and double quotes to work?
>
>
> Single quotes (') are literal, double quotes (") handle variables.
>
> $sam = 'buddy';
> $fred = "friend";
> $joe = '$some guy'; joe is literally the dollar sign and "some guy"
>
>
> echo "$sam and $fred and $joe"; // will show all the values
> echo '$sam and $fred and $joe'; // will literally display the $names
>
> When you nest quotes you have to be careful to match them.
>
> "UPDATE single SET category='$category' ... "
>
> Even though $category is in single quotes it will still work as expected
> because the whole thing is in double quotes.
>
> If the value of $category has a single quote, it must be escaped. Thus
> the value "O'malley" must become "O\'malley" to put it in the db. You
> can have php do that for you whenever you do db inserts by setting
> gpc_magic_quotes on, or, what I prefer, do it yourself with "addslashes"
> when you check your data (you are checking your data, right?).
>
> $category=addslashes($category);
>
> That will handle quotes for you.
>
> For displaying HTML, escaping is also the best solution.
>
> echo "<p align="center">This is my paragraph</p>";
>
> This will fail before the word -center- because the double quotes there
> will close the opening double quote at the beginning. PHP thinks you're
> done quoting. The rest of the clause then makes no sense to PHP.
>
> echo "<p align=\"center\">This is my paragraph</p>";
>
> That works, you've escaped the double quotes inside the clause.
>
> You can try using single quotes, but you'll run into the same
> problem.
>
> echo '<p align='center'>This is my paragraph</p>';
>
> The code above will fail before the word center, PHP thinks you're done
> quoting.
>
> echo '<p align=\'center\'>This is my paragraph</p>';
>
> That will work.
>
> You can try alternating quotes and double quotes but you end up being
> more confused for each new clause (Do I start this time with a double
> quote or a single quote?). Plus, your code starts getting weird because
> it is inconsistent.
>
> htmlspecialchars isn't a great solution because it turns quotes (and
> other things) into non-meaningful symbols.
>
> $mystring = htmlspecialchars ("<p align='center'>This is my
> paragraph</p>");
>
> echo $mystring;
>
> Now your HTML code doesn't work, it will look like your browser doesn't
> interpret it any more. (try it and see). They're not meaningful symbols
> anymore so the browser can't interpret them, only display them.
>
> Thus, put the results of your db in normal html, echo it out and escape
> your double quotes.
>
> $dbval="0'malley";
>
> echo "<p align=\"center\">$dbval</p>";
>
> That will work and the single quote in O'malley won't bother anything.
>
> kind regards,
>
> bill
>
>
>
> _______________________________________________
> Members mailing list
> Members at kalamazoolinux.org
>
>
More information about the Members
mailing list