single quotes in database field breaks form?

Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery", all
that shows up in the field is "Ma". Do I really have to go through all my
form fields and change them to
<?php echo "<input type=text name='storename' value='".$storename."'>"; ?>

Although I guess
<?php echo "<input type=text name='storename' value=\"$storename\">"; ?>
would work, too.

Oh well.

Greg Bryant wrote:[color=blue]
> Hi folks - I have a form that displays a value pulled from a database
> field.
>
><?php echo "<input type=text name='storename' value='$storename'>"; ?>
>
> I noticed that if $storename contains something like "Ma's Bakery", all
> that shows up in the field is "Ma". Do I really have to go through all my
> form fields and change them to
><?php echo "<input type=text name='storename' value='".$storename."'>"; ?>[/color]

What hapenned when you tried that? :)

try:

<?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">'; ?>

Reference at
http://www.php.net/htmlentities


Happy Coding :-)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Greg Bryant <bryantgHELLO@yahoo.com> writes:
[color=blue]
> Hi folks - I have a form that displays a value pulled from a database
> field.
>
> <?php echo "<input type=text name='storename' value='$storename'>"; ?>
>
> I noticed that if $storename contains something like "Ma's Bakery", all
> that shows up in the field is "Ma". Do I really have to go through all my
> form fields and change them to
> <?php echo "<input type=text name='storename' value='".$storename."'>"; ?>
>
> Although I guess
> <?php echo "<input type=text name='storename' value=\"$storename\">"; ?>
> would work, too.[/color]

It's wise to call htmlentities() when displaying content that could
contain special characters.

http://www.php.net/manual/function.htmlentities.php

Have a look at the optional quote_style parameter.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

Pedro Graca <hexkid@hotpop.com> wrote in
news:braiso$194j3$1@ID-203069.news.uni-berlin.de:
[color=blue]
> Greg Bryant wrote:[color=green]
>> Hi folks - I have a form that displays a value pulled from a database
>> field.
>>
>><?php echo "<input type=text name='storename' value='$storename'>"; ?>
>>
>> I noticed that if $storename contains something like "Ma's Bakery",
>> all that shows up in the field is "Ma". Do I really have to go
>> through all my form fields and change them to
>><?php echo "<input type=text name='storename'
>>value='".$storename."'>"; ?>[/color]
>
> What hapenned when you tried that? :)
>
> try:
>
> <?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">';
> ?>
>
> Reference at
> http://www.php.net/htmlentities
>
>
> Happy Coding :-)[/color]

Thanks. Fortunately, I guess, I tried the second one first (escape
double quotes around the value). Looking at it again, obviously the
first one will have the same problem as the original :). Nice to know
there's a real solution - htmlentities. Thanks!

"Greg Bryant" <bryantgHELLO@yahoo.com> schrieb im Newsbeitrag
news:Xns944F4714FD65bryantgHELLOyahoocom@199.45.49 .11...[color=blue]
> Pedro Graca <hexkid@hotpop.com> wrote in
> news:braiso$194j3$1@ID-203069.news.uni-berlin.de:
>[color=green]
> > Greg Bryant wrote:[color=darkred]
> >> Hi folks - I have a form that displays a value pulled from a database
> >> field.
> >>
> >><?php echo "<input type=text name='storename' value='$storename'>"; ?>
> >>
> >> I noticed that if $storename contains something like "Ma's Bakery",
> >> all that shows up in the field is "Ma". Do I really have to go
> >> through all my form fields and change them to
> >><?php echo "<input type=text name='storename'
> >>value='".$storename."'>"; ?>[/color]
> >
> > What hapenned when you tried that? :)
> >
> > try:
> >
> > <?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">';
> > ?>
> >
> > Reference at
> > http://www.php.net/htmlentities
> >
> >
> > Happy Coding :-)[/color]
>
> Thanks. Fortunately, I guess, I tried the second one first (escape
> double quotes around the value). Looking at it again, obviously the
> first one will have the same problem as the original :). Nice to know
> there's a real solution - htmlentities. Thanks!
>[/color]

With your "solution" you just switch problems - an entry as "She said:
"Let's go!", and went." will be cropped to "She said: ". You either have to
use htmlentities() or addslashes() with your content.

--
Markus

You're right, you're right. There's obviously a reason htmlentities is a
core function :).

Thanks for keeping me from getting lazy.

-Greg

"Markus Ernst" <derernst@NO#SP#AMgmx.ch> wrote in
news:3fd9cdb2$0$13881$afc38c87@news.easynet.ch:
[color=blue][color=green]
>> Thanks. Fortunately, I guess, I tried the second one first (escape
>> double quotes around the value). Looking at it again, obviously the
>> first one will have the same problem as the original :). Nice to
>> know there's a real solution - htmlentities. Thanks!
>>[/color]
>
> With your "solution" you just switch problems - an entry as "She said:
> "Let's go!", and went." will be cropped to "She said: ". You either
> have to use htmlentities() or addslashes() with your content.
>[/color]

I find that using addslashes() usually does the trick, however if the
data you're entering is variable and the end user has specified it, it
would be better to htmlentities() or htmlspecialchars() and then
addslashes() for security.