Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Aug 2011
    Posts
    192
    Thanks
    112
    Thanked 0 Times in 0 Posts

    Why is hyphen' preceded by a backslash?

    I have mysql code to enter a businessname into a table in a database, but, if I enter a name such as "Joe's" (with a hyphen), it goes into the database as "Joe\'s" (always adds a backslash before the hyphen). I would appreciate anyone's help. Thank you, Buffmin.

    My code
    Code:
    <?php 
    /*  
     NEW.PHP 
     Allows user to create a new entry in the database 
    */ 
     
     function renderForm($BusinessName, $error) 
     { 
     ?> 
     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
     <html> 
     <head> 
     <title>New Member</title> 
     <link rel="stylesheet" type="text/css" href="member.css"> 
     </head> 
     <body> 
     
     
     <?php  
     // if there are any errors, display them 
     if ($error != '') 
     { 
     echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; 
     } 
     ?>  
    
    <h1 class="style1">Add a Member to Business Directory</h1>
     <form action="" method="post"> 
     <table>
    <tr><td class="blue">Business Name</td><td><input type="text"  size="40" name="BusinessName"value="<?php echo $BusinessName; ?>" /></td></tr>
    
    </table><p></p>
    <p class="blue">*  Required Field</p>
    
    <input type="submit" name="submit" value="Submit">
     </form>  
     </body> 
     </html> 
     <?php  
     } 
     
     // connect to the database 
     require ('dbstuff.php');
            $db = connectDB();
      
     // check if the form has been submitted. If it has, start to process the form and save it to the database 
     if (isset($_POST['submit'])) 
     {  
     // get form data, making sure it is valid 
     $Businessname = mysql_real_escape_string(htmlspecialchars($_POST['BusinessName'])); 
      
     // check to make sure both fields are entered 
     if ($Businessname == '') 
     { 
     // generate error message 
     $error = 'ERROR: Please fill in all required fields.....!'; 
      
     // if either field is blank, display the form again 
     renderForm($BusinessName, $error); 
     } 
     else 
     { 
     // save the data to the database 
     mysql_query("INSERT mybiz SET BusinessName='$Businessname'") 
     or die(mysql_error());  
     
    mysql_query("alter table mybiz order by BusinessName")	
     or die(mysql_error());
     
      
     // once saved, redirect back to the view page 
     header("Location: view.php");  
     } 
     } 
     else 
     // if the form hasn't been submitted, display the form 
     { 
     renderForm('','','','','','','','','','','','','',''); 
     } 
    ?>

  • #2
    Super Moderator guelphdad's Avatar
    Join Date
    Mar 2006
    Location
    St. Catharines, Ontario Canada
    Posts
    2,631
    Thanks
    4
    Thanked 147 Times in 138 Posts
    if you are using mysql_real_escape_string then you shouldn't also be using htmlspecialchars
    Last edited by guelphdad; 01-17-2012 at 06:30 PM.

  • Users who have thanked guelphdad for this post:

    Buffmin (01-17-2012)

  • #3
    Regular Coder
    Join Date
    Aug 2011
    Posts
    192
    Thanks
    112
    Thanked 0 Times in 0 Posts
    I guess I am not familiar with "mysql_real_escape_string". Is that used when inputting data, or when retrieving data? I will have to research how to use this, but thank you.

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,465
    Thanks
    0
    Thanked 634 Times in 624 Posts
    Quote Originally Posted by Buffmin View Post
    I guess I am not familiar with "mysql_real_escape_string". Is that used when inputting data, or when retrieving data? I will have to research how to use this, but thank you.

    mysql_real_escape_string is used when using "query" to access a database where the SQL and data are jumbled together and the data is "escaped" in order to try to avoid it being interpreted as part of the SQL. It is unnecessary if you replace "query" with "prepare" and "bind" as the latter keeps the SQL in the prepare statement and the data in the bind statement and so avoids all possibility of the data being misinterpreted.


    htmlspecialchars is used when outputting data into an HTML web page. It is used to escape characters in the data that would otherwise be misinterpreted as being HTML tags.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    Buffmin (01-17-2012)

  • #5
    Regular Coder
    Join Date
    Aug 2011
    Posts
    192
    Thanks
    112
    Thanked 0 Times in 0 Posts
    Thanks Fellgal,
    I will have to study up on the "mysql_real_escape_string" for when I input data into my tables, but for the moment, I am concerned with displaying the data in my table without the special charactors. I cannot figure how or where to insert the "htmlspecialchars" in my html. If you could possibly point out how or where, I would greatly appreciate it. Thank you, Buffmin

    My code:
    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
    <html> 
    <head> 
            <title>My Sample</title> 
    </head> 
    <body>  
    <?php 
    
    /* Displays all members from database  */  
    
            require ('dbstuff.php');
            $db = connectDB();
     
            // get results from database 
            $result = mysql_query("SELECT * FROM mybiz")  
                    or die(mysql_error());   
                     
            // display data in table                
            echo "<table border='1' cellpadding='10'>"; 
            echo "<tr><th>Business Name</th></tr>"; 
     
            // loop through results of database query, displaying them in the table 
           	$count= 0;
    	    while($row = mysql_fetch_array( $result )) { 
            ++$count;		
    	  
    	  // echo out the contents of each row into a table 
    	             echo "<tr>"; 
    	             echo '<td>' . $row['BusinessName'] . '</td>';  
                     echo "</tr>";   
            }  
            // close table> 
            echo "</table>"; 
    ?>  
    </body> 
    </html>

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,465
    Thanks
    0
    Thanked 634 Times in 624 Posts
    When writing data into HTML you simply replace:

    echo $field;

    with:

    echo htmlspecialchars($field);
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    Buffmin (01-18-2012)

  • #7
    Regular Coder
    Join Date
    Aug 2011
    Posts
    192
    Thanks
    112
    Thanked 0 Times in 0 Posts
    Thank you felgall and I appreciate the link to the resources on your site, but when I added the "htmlspecialchars" after my echo, I got an error that says......... "Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';' in/homepages/.........

    I do not understand why? Here is my code where I am displaying the html, and thank you for your help. I appreciate your patience. Buffmin

    I commented out the orig line and just added the "htmlspecialchars" to the new line.

    Code:
            // loop through results of database query, displaying them in the table 
           	$count= 0;
    	    while($row = mysql_fetch_array( $result )) { 
            ++$count;
    		
    	  
    	  // echo out the contents of each row into a table 
    	             echo "<tr>"; 
    	             //echo '<td>' . $row['BusinessName'] . '</td>';  
    	             echo htmlspecialchars '<td>' . $row['BusinessName'] . '</td>';
                     echo "</tr>";   
            }

  • #8
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,465
    Thanks
    0
    Thanked 634 Times in 624 Posts
    Quote Originally Posted by Buffmin View Post
    echo htmlspecialchars '<td>' . $row['BusinessName'] . '</td>';
    echo htmlspecialchars( '<td>' . $row['BusinessName'] . '</td>' );
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    Buffmin (01-18-2012)

  • #9
    Regular Coder
    Join Date
    Aug 2011
    Posts
    192
    Thanks
    112
    Thanked 0 Times in 0 Posts
    Thank you very much for your help! Buffmin


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •