By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,965 Members | 2,043 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,965 IT Pros & Developers. It's quick & easy.

single quotes in database field breaks form?

P: n/a
Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery", all
that shows up in the field is "Ma". Do I really have to go through all my
form fields and change them to
<?php echo "<input type=text name='storename' value='".$storename."'>"; ?>

Although I guess
<?php echo "<input type=text name='storename' value=\"$storename\">"; ?>
would work, too.

Oh well.
Jul 17 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Greg Bryant wrote:
Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery", all
that shows up in the field is "Ma". Do I really have to go through all my
form fields and change them to
<?php echo "<input type=text name='storename' value='".$storename."'>"; ?>


What hapenned when you tried that? :)

try:

<?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">'; ?>

Reference at
http://www.php.net/htmlentities
Happy Coding :-)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #2

P: n/a
Greg Bryant <br**********@yahoo.com> writes:
Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery", all
that shows up in the field is "Ma". Do I really have to go through all my
form fields and change them to
<?php echo "<input type=text name='storename' value='".$storename."'>"; ?>

Although I guess
<?php echo "<input type=text name='storename' value=\"$storename\">"; ?>
would work, too.


It's wise to call htmlentities() when displaying content that could
contain special characters.

http://www.php.net/manual/function.htmlentities.php

Have a look at the optional quote_style parameter.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/
Jul 17 '05 #3

P: n/a
Pedro Graca <he****@hotpop.com> wrote in
news:br************@ID-203069.news.uni-berlin.de:
Greg Bryant wrote:
Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery",
all that shows up in the field is "Ma". Do I really have to go
through all my form fields and change them to
<?php echo "<input type=text name='storename'
value='".$storename."'>"; ?>


What hapenned when you tried that? :)

try:

<?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">';
?>

Reference at
http://www.php.net/htmlentities
Happy Coding :-)


Thanks. Fortunately, I guess, I tried the second one first (escape
double quotes around the value). Looking at it again, obviously the
first one will have the same problem as the original :). Nice to know
there's a real solution - htmlentities. Thanks!

Jul 17 '05 #4

P: n/a
"Greg Bryant" <br**********@yahoo.com> schrieb im Newsbeitrag
news:Xn*********************************@199.45.49 .11...
Pedro Graca <he****@hotpop.com> wrote in
news:br************@ID-203069.news.uni-berlin.de:
Greg Bryant wrote:
Hi folks - I have a form that displays a value pulled from a database
field.

<?php echo "<input type=text name='storename' value='$storename'>"; ?>

I noticed that if $storename contains something like "Ma's Bakery",
all that shows up in the field is "Ma". Do I really have to go
through all my form fields and change them to
<?php echo "<input type=text name='storename'
value='".$storename."'>"; ?>


What hapenned when you tried that? :)

try:

<?php echo '... value="', htmlentities($storename, ENT_QUOTES), '">';
?>

Reference at
http://www.php.net/htmlentities
Happy Coding :-)


Thanks. Fortunately, I guess, I tried the second one first (escape
double quotes around the value). Looking at it again, obviously the
first one will have the same problem as the original :). Nice to know
there's a real solution - htmlentities. Thanks!


With your "solution" you just switch problems - an entry as "She said:
"Let's go!", and went." will be cropped to "She said: ". You either have to
use htmlentities() or addslashes() with your content.

--
Markus
Jul 17 '05 #5

P: n/a
You're right, you're right. There's obviously a reason htmlentities is a
core function :).

Thanks for keeping me from getting lazy.

-Greg

"Markus Ernst" <derernst@NO#SP#AMgmx.ch> wrote in
news:3f***********************@news.easynet.ch:
Thanks. Fortunately, I guess, I tried the second one first (escape
double quotes around the value). Looking at it again, obviously the
first one will have the same problem as the original :). Nice to
know there's a real solution - htmlentities. Thanks!


With your "solution" you just switch problems - an entry as "She said:
"Let's go!", and went." will be cropped to "She said: ". You either
have to use htmlentities() or addslashes() with your content.


Jul 17 '05 #6

P: n/a
I find that using addslashes() usually does the trick, however if the
data you're entering is variable and the end user has specified it, it
would be better to htmlentities() or htmlspecialchars() and then
addslashes() for security.
Jul 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.