By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,408 Members | 1,840 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,408 IT Pros & Developers. It's quick & easy.

PHP/Mysql/special characters problem

P: n/a
Hi all,

I have an issue with php and/or mysql. I have a php form that writes "items"
to a mysql database, including a description of the item. On the mysql
server, "magic_quotes_gpc" is ON.

I am testing it now by putting special characters in the description field,
this is what I am entering:

O'Leary "special edition"

Now, this item data always gets written to the db just fine and shows up in
the db as entered. Seems correct and working just fine up to this point.

My problem is with my "edit item" page. This page allows users to update
items, including the mentioned "description" field. But when the data is
called back up from the db to display in the "edit item" page and the
description contains double quotes, the description is cut off, and only
shows:

O'Leary

Here is the code (snippet of the important stuff and numbered) on the "edit
item" page:

1. $result = mysql_query("select * from inven where product =
'$product'");
2. $row = mysql_fetch_array($result);
3. echo "Description is: $row[description]";
4. echo "<table width=80% border=1 cellpadding=4 cellspacing=0>";
5. ?>
6. <tr><td>Product #:</td><td><input type=text name=product value="<?echo
$row[product]?>"></td></tr>
7. <tr><td>Description:</td><td><input type=text name=description
value="<?echo $row[description]?>" size=50></td></tr>
8.
9. <?
10. echo "</table>";
11. echo "<br><br><input type=submit name=Update value=Update>";
12. ?>

The important line of code here is line 6, where the value of description
should show. The real value of description that is in the database should be
showing up here, but it is cut off if it contains double quotes. Note also
that the full value (double quotes and all) of description can be seen in
the echo statement at line 3. I'm stumped.

To sum up this problem, data appears to get written to the db just fine. The
"edit item" page is brought up, but the description - if it contains special
characters, is cut off, apparently where there are double quotes. If I go
ahead and update the item, the new value in the db is now cut off and not
what I want.

Any ideas? Thanks in advance.

Mosher
Jul 17 '05 #1
Share this Question
Share on Google+
12 Replies


P: n/a
Mosher wrote:
6. <tr><td>Product #:</td><td><input type=text name=product value="<?echo
$row[product]?>"></td></tr> The important line of code here is line 6, where the value of description
should show. The real value of description that is in the database should be
showing up here, but it is cut off if it contains double quotes. Note also
that the full value (double quotes and all) of description can be seen in
the echo statement at line 3. I'm stumped.


The quotes are there :)
view the source!

This is a HTML problem: you're trying to output HTML similar to
<input value="John "Q" Smith">
and the browser doesn't know how to interpret it

Try html_entities()
<form ...>
<!-- ... -->

<input value="<?php echo html_entites($row['product'], ENT_QUOTES); ?>"/>

<!-- ... -->
</form>
http://www.php.net/html_entites
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #2

P: n/a
I (Pedro Graca) mis-wrote:
http://www.php.net/html_entites


Sorry, that should have been
http://www.php.net/html_entities
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #3

P: n/a
Pedro - thanks so much! That helped and I can now view the full double
quoted data.

However, when I try to "update" the information into the db, the
single/double quoted stuff doesn't get written to the db. I tried an
html_entity_decode function, but that only writes single quotes to the db,
not double. Here is my decode code that I put in the same code that you
commented on previously:

<input type=hidden name=description value="<?echo
html_entity_decode($row[description])?>">

It's my understanding that we need to decode the html_entities data before
writing to db, right? Any ideas how I could get the whole string, single and
double quotes included, written into the db?

Thanks again,

Mosher

"Pedro Graca" <he****@hotpop.com> wrote in message
news:bs************@ID-203069.news.uni-berlin.de...
Mosher wrote:
6. <tr><td>Product #:</td><td><input type=text name=product value="<?echo $row[product]?>"></td></tr>

The important line of code here is line 6, where the value of description should show. The real value of description that is in the database should be showing up here, but it is cut off if it contains double quotes. Note also that the full value (double quotes and all) of description can be seen in the echo statement at line 3. I'm stumped.


The quotes are there :)
view the source!

This is a HTML problem: you're trying to output HTML similar to
<input value="John "Q" Smith">
and the browser doesn't know how to interpret it

Try html_entities()
<form ...>
<!-- ... -->

<input value="<?php echo html_entites($row['product'], ENT_QUOTES); ?>"/>

<!-- ... -->
</form>
http://www.php.net/html_entites
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Jul 17 '05 #4

P: n/a
Mosher wrote:
Pedro - thanks so much! That helped and I can now view the full double
quoted data.

However, when I try to "update" the information into the db, the
single/double quoted stuff doesn't get written to the db. I tried an
html_entity_decode function, but that only writes single quotes to
the db, not double. Here is my decode code that I put in the same
code that you commented on previously:

<input type=hidden name=description value="<?echo
html_entity_decode($row[description])?>">

It's my understanding that we need to decode the html_entities data
before writing to db, right? Any ideas how I could get the whole
string, single and double quotes included, written into the db?

Thanks again,

Mosher


NO... you do not need to decode anything before flushing it to the db. All
you need to do is shove it in (being sure to call something like
mysql_escape_string first, obviously)
Jul 17 '05 #5

P: n/a
Mosher wrote:
It's my understanding that we need to decode the html_entities data before
writing to db, right? Any ideas how I could get the whole string, single and
double quotes included, written into the db?


From DB to browser
htmlentities()

From browser to DB
mysql_escape_string()

But beware of magic quotes (I don't have them on)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
Jul 17 '05 #6

P: n/a
Pedro Graca wrote:
Mosher wrote:
It's my understanding that we need to decode the html_entities data
before writing to db, right? Any ideas how I could get the whole
string, single and double quotes included, written into the db?


From DB to browser
htmlentities()

From browser to DB
mysql_escape_string()

But beware of magic quotes (I don't have them on)


you will likely want to do something like
$string = get_magic_quotes_gpc() ?
mysql_escape_string(stripslashes($string)) : mysql_escape_string($string);
Jul 17 '05 #7

P: n/a
Guys,

I tried to use the mysql_escape_string($description), but it didn't work.
When I enter this string from the description field:

O'Leary "special"

....it sends this to the db:

O\\\'Leary \\

....and because magic quotes in on, this is what actually got written to the
db:

O\'Leary \

Also, any information that comes after the description field has now
dissapeared. I am in "special character" hell! Help!!! Remember that
magic_quotes_gpc is 'ON'.

Thanks,

Mosher

"Agelmar" <if**********@comcast.net> wrote in message
news:bt************@ID-30799.news.uni-berlin.de...
Pedro Graca wrote:
Mosher wrote:
It's my understanding that we need to decode the html_entities data
before writing to db, right? Any ideas how I could get the whole
string, single and double quotes included, written into the db?


From DB to browser
htmlentities()

From browser to DB
mysql_escape_string()

But beware of magic quotes (I don't have them on)


you will likely want to do something like
$string = get_magic_quotes_gpc() ?
mysql_escape_string(stripslashes($string)) : mysql_escape_string($string);

Jul 17 '05 #8

P: n/a
"Mosher" <mo***********@yahoo.com> wrote in
news:fY********************@comcast.com (in part):
Guys,

I tried to use the mysql_escape_string($description), but it didn't
work. When I enter this string from the description field:

O'Leary "special"

...it sends this to the db:


I've come in late, but you may want to try:

From the form to DB: urlencode(stripslashes($string))
From the DB to the display: urldecode($db_string)

Ken Robinson
Jul 17 '05 #9

P: n/a
Hi Ken,

Thanks for this, but it did not work. Once again (prior to your code), the
data gets written to the db just fine, quotes and all. But when I call it
back up to edit it, that is where the problem is. First, the field data:

O'Leary "special"

....only displayed O'Leary when called back up. I then was able to get around
that by the following line of code:

<input type=text name=description value="<? echo
htmlentities($row[description])?>">

This did display the full data above with quotes, etc. But when I look in
the actual source code of the webpage being displayed, it shows:

O'Leary&quot;special&quot;

....in the field and when I try to write to db, it only writes:

O'Leary

Any other ideas?

Thanks,

Mosher

"Ken Robinson" <se**********@rbnsn.com> wrote in message
news:45******************************@news.teranew s.com...
"Mosher" <mo***********@yahoo.com> wrote in
news:fY********************@comcast.com (in part):
Guys,

I tried to use the mysql_escape_string($description), but it didn't
work. When I enter this string from the description field:

O'Leary "special"

...it sends this to the db:


I've come in late, but you may want to try:

From the form to DB: urlencode(stripslashes($string))
From the DB to the display: urldecode($db_string)

Ken Robinson

Jul 17 '05 #10

P: n/a
"Mosher" <mo***********@yahoo.com> wrote in
news:9N********************@comcast.com:
Hi Ken,

Thanks for this, but it did not work. Once again (prior to your code),
the data gets written to the db just fine, quotes and all. But when I
call it back up to edit it, that is where the problem is. First, the
field data:

O'Leary "special"

...only displayed O'Leary when called back up. I then was able to get
around that by the following line of code:

<input type=text name=description value="<? echo
htmlentities($row[description])?>">

This did display the full data above with quotes, etc. But when I look
in the actual source code of the webpage being displayed, it shows:

O'Leary&quot;special&quot;

...in the field and when I try to write to db, it only writes:


I've had similar problems. It's in the DB with the quotes and I used to
run around in circles trying to get it back in after displaying it on a
form and getting the value back. That's why I've started to store the
urlencoded format in the database.

So you would do:
<input type=text name=description value="<? echo urldecode($row
[description])?>">
in your form.

In your database update command use something like: "update .... set
description='".urlencode(stripslashes($_POST['description']))."'..."

You might have to write a one-time job to update all the text fields in
your database to conform to the new method or you can just implement it
and each field will be updated as time goes on.

Ken
Jul 17 '05 #11

P: n/a
> This did display the full data above with quotes, etc. But when I look in
the actual source code of the webpage being displayed, it shows:

O'Leary&quot;special&quot;

...in the field and when I try to write to db, it only writes:

O'Leary

Any other ideas?


after form submission, i use
$_POST['var'] = mysql_escape_string(stripslashes($_POST['var']));
before submitting $_POST['var'] to my database.

maybe you can also echo $_POST['var'] after you submit the form to check
what is in it.

if you use the GET method, the &quot; entity may cause problems as all
variables are transmitted like
http://php.net/script.php?var1=foo&v...;problem&quot;
if this is the case, maybe just try the POST method instead?

good luck
steven.
Jul 17 '05 #12

P: n/a
Ken - the whole thing works now! But the problem was caused by another
issue. I believe that there was another query writing the data to db (so it
was getting written twice) and due to this, there was the problem - one
query was correct and the other wasn't. I removed the latter query and now
it is working. It had me totally stumped because this hasn't been too much
of an issue for me before.

Anyway, thanks much for the advice. Perhaps I'll try your ideas next time.

Later,

Mosher

"Ken Robinson" <se**********@rbnsn.com> wrote in message
news:70******************************@news.teranew s.com...
"Mosher" <mo***********@yahoo.com> wrote in
news:9N********************@comcast.com:
Hi Ken,

Thanks for this, but it did not work. Once again (prior to your code),
the data gets written to the db just fine, quotes and all. But when I
call it back up to edit it, that is where the problem is. First, the
field data:

O'Leary "special"

...only displayed O'Leary when called back up. I then was able to get
around that by the following line of code:

<input type=text name=description value="<? echo
htmlentities($row[description])?>">

This did display the full data above with quotes, etc. But when I look
in the actual source code of the webpage being displayed, it shows:

O'Leary&quot;special&quot;

...in the field and when I try to write to db, it only writes:


I've had similar problems. It's in the DB with the quotes and I used to
run around in circles trying to get it back in after displaying it on a
form and getting the value back. That's why I've started to store the
urlencoded format in the database.

So you would do:
<input type=text name=description value="<? echo urldecode($row
[description])?>">
in your form.

In your database update command use something like: "update .... set
description='".urlencode(stripslashes($_POST['description']))."'..."

You might have to write a one-time job to update all the text fields in
your database to conform to the new method or you can just implement it
and each field will be updated as time goes on.

Ken

Jul 17 '05 #13

This discussion thread is closed

Replies have been disabled for this discussion.