View Full Version : Problem with returning correct user input when it includes quotes

06-02-2004, 04:44 PM
I have a page with several form fields which the user sets & if they don't fill something in correctly I put an error at the top of the page & then reload all the code below & fill in all the fields they had already filled in... however, if the user inputs any quotes in their input, then when the error page loads it doesn't display the fields correctly.... examples:

If they input:

Fast "cars" & produce an error

The page will reload with:

Fast \ in the field

If they input:


The page will reload with:

\ in the field.

So I tried to replace the " with a \" with the below "preg_replace" code..

$radiovaluesub = 'fmradiovb' . $radioname . '-' . $radioq2;

$rbvsstrip = $_SESSION['fm'][$radiovaluesub];

$rbvs = preg_replace('\"','\\"',$rbvsstrip);

..hoping it would work but now I'm getting errors..

Any help here?

06-02-2004, 08:18 PM
Gotta have those error texts also. But I think that using str_replace might be faster and easier.

str_replace ("\"","\\\"",$rbvsstrip)

06-03-2004, 12:27 AM
Hmmmm.... got no errors with that but still not returned correctly! :(

Fast "Cars" is now returned as:

Fast \\

Any ideas?

06-03-2004, 02:46 AM
look also at addslashes() && stripslashes() , addslashes makes the code safe for insertion into the DB (mysql_escape_field() is available as well) , stripslashes clears it up for display in your forms.

for display ...
<input type="text" name="name" value="<?=stripslashes($_POST['name']);?>">

for sticking in the DB ..

"UPDATE blah SET name='".addslashes($_POST['name'])."' ..etc

now this gets funky when different servers have different php.ini settings .. some servers will have magic_quotes_gpc = On , which automatically escapes GET,POST and COOKIE variables ,thats what your server is doing right now ! , and thats where the slashes are coming from , so really you do not need to addslashes yourself.
So you really need to check the server settings (ini_get() (http://www.php.net/ini_get)) and decide whether you need to addslashes() or not.

06-03-2004, 07:48 PM
Hmm... that'll remove the slashes but it won't return anything after it.




Would return:





nothing (a blank area).

So it is stripping the slahses but it's not leaving the user data there. :(