By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,678 Members | 1,150 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,678 IT Pros & Developers. It's quick & easy.

Best way to get quoted text in mysql?

P: n/a
JW
It took me a lot of trial and error to get text from an HTML form into MySQL to
account for quotation marks being entered. I came up with the following. It
works fine but I was wondering if this is the best way. Here are the relevant
snippets:

1) User enters data via post.html:

<form method="POST" action="post_confirm.php" name="form">
<textarea NAME="comments" ROWS=4 COLS=60 onkeyup="textLimit(comments,
800);"></TEXTAREA>
<input type="submit" name="Submit2" value="Submit" onClick="return
validate(form)">
</form>

2) User is presented with the confirmation form post_confirm.php:

Strips html tags, and displays without the slashes that PHP puts in:
<?php $comments=stripslashes(strip_tags($_POST['comments'])); ?>

Displays the user comments:
<?php echo $comments; ?>

If ok, user sends it to be posted:
<form method="POST" action="postnotice.php">
<input type="hidden" name="comments" value="<?php echo
htmlspecialchars($comments, ENT_QUOTES ); ?>">
</form>

3) Stuff is posted in MySQL via postnotice form:

<?php $comments=addslashes($_POST['comments']); ?>
Better way or OK?

TIA -

jon
--
jwayne@_myrealbox_no_spam.com
Jul 16 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Hi jwayne!

On Mon, 30 Jun 2003 16:05:12 -0400, JW <jwayne@_myrealbox_no_spam.com>
wrote:
It took me a lot of trial and error to get text from an HTML form into MySQL to
account for quotation marks being entered. I came up with the following. It
works fine but I was wondering if this is the best way. Here are the relevant
snippets:

1) User enters data via post.html:

<form method="POST" action="post_confirm.php" name="form">
<textarea NAME="comments" ROWS=4 COLS=60 onkeyup="textLimit(comments,
800);"></TEXTAREA>
<input type="submit" name="Submit2" value="Submit" onClick="return
validate(form)">
</form>

2) User is presented with the confirmation form post_confirm.php:

Strips html tags, and displays without the slashes that PHP puts in:
<?php $comments=stripslashes(strip_tags($_POST['comments'])); ?> You can turn of the slashes that are put in, by using the ini_set with
magic_quotes_gpc. My suggestion is to turn it off.

Displays the user comments:
<?php echo $comments; ?>

If ok, user sends it to be posted:
<form method="POST" action="postnotice.php">
<input type="hidden" name="comments" value="<?php echo
htmlspecialchars($comments, ENT_QUOTES ); ?>">
</form>

3) Stuff is posted in MySQL via postnotice form:

<?php $comments=addslashes($_POST['comments']); ?>
Better way or OK?


You may get around the one stripslashes with my suggestion.

Hope I could help.

Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #2

P: n/a
Hi !
On Mon, 30 Jun 2003 20:18:23 -0400, JW <jwayne@_myrealbox_no_spam.com>
wrote:
You may get around the one stripslashes with my suggestion.

I tried your suggestion but there is problem: when I do a mysql_query, it bombs
with _single_ quotes in the user text.

Sorry. Just remove one instance of stripslashes, not all instances of
*slashes. But your code was fine anyway. If you use shared servers,
you might not be in control of these switches anyway. Maybe have a
look at get_magic_quotes_gpc.

HTH, Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #3

P: n/a
Jochen Daum <jo*********@cans.co.nz> wrote in message news:<lm********************************@4ax.com>. ..
Better way or OK?


There is a RemoveMagicQuotes function floating around, probably on
php.net in the user comments that I've found to be very effective. You
just run it on the top of every page and it removes the magic quotes
if the server has them on or off. I've moved PHP scripts between
hosting companies and it can suddenly make a working script, not work.
A little auto-detection and dealing with it can help.
Jul 16 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.