Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New Coder
    Join Date
    Jan 2004
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    quoting and html forms with php

    I'm new to php so please forgive my relatively stupid questions.

    I’m having trouble transferring data in a variable to a new page via php and a html structured form.

    The variable contains a string ready for use in an sql command on the next page. It’s contains the values separated by “ and commas.
    Eg “value1”, “value2, “value3”

    The php generating the html form is below

    PHP Code:
    echo "<p>Do you wish to enact the $dbaction command?</p>\n
    <p>&nbsp;</p>\n
    <form name=\"form1\" method=\"post\" action='action01.php'>\n
      <input type=\"hidden\" name=\"table\" value='$table'>\n
      <input type=\"hidden\" name=\"fieldsblock\" value='$fieldsblock'>\n
      <input type=\"hidden\" name=\"stringsblock\" value='$stringsblock'>\n
      <input type=\"hidden\" name=\"dbaction\" value='$dbaction'>\n"

    My first problem is if I have single quotes ie ‘ , the form presumably will terminate when it finds the first one. For now I have disallowed single quotes for it but I would prefer to allow it so words like don’t and can’t are OK. I’m also worried about how other characters like % and & might be interpreted by the form.

    I’ve noticed the variable form the other side has escaping slashes added and have used stripslashes to remove those and this seems to work. Is this the correct practice?

    Is using a form the main way to do it or should I be using another method?

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    most efficient (and easier IMO) is to only use echo/print when actually needed...

    PHP Code:
    <p>Do you wish to enact the <?=$dbaction;?> command?</p>
    <p>&nbsp;</p>
    <form name="form1" method="post" action="action01.php">
      <input type="hidden" name="table" value="<?=$table;?>">
      <input type="hidden" name="fieldsblock" value="<?=$fieldsblock;?>">
      <input type="hidden" name="stringsblock" value="<?=$stringsblock;?>">
      <input type="hidden" name="dbaction" value="<?=$dbaction;?>">
    if you need to load into a variable consider heredoc syntax ...

    PHP Code:
    <?
    $str 
    =<<<EOD
    note can use unescaped 'single' or "double" quotes here
    <p>Do you wish to enact the $dbaction command?</p>
    <p>&nbsp;</p>
    <form name="form1" method="post" action="action01.php">
      <input type="hidden" name="table" value="$table">
      <input type="hidden" name="fieldsblock" value="$fieldsblock">
      <input type="hidden" name="stringsblock" value="$stringsblock">
      <input type="hidden" name="dbaction" value="$dbaction">
    EOD;

    echo 
    $str;
    ?>
    however in general escaping works like...

    echo " escaped double
    \"quote \" 'single quotes are ok here ' ";
    echo ' now need to escape \'single\' quotes but doubles are "cool " ';
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    New Coder
    Join Date
    Jan 2004
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks much. I'll look up this heredoc syntax then. I was told using <? ?> was naughty by several ppl.

  • #4
    New Coder
    Join Date
    Jan 2004
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Your script didn't work. The html form double quotes still interfere with the double quotes in the variable string. That's why I originally changed to use single quotes there.

    I think I understand your heredoc thing but that's just another way of avoiding escaping single and double quotes.

    It's not really what I need. Rather I need a way to get my string (which contains quotes) through the form which needs the quotes to operate.

    To put it simply I have a string as I defined in the first post and I need that data to get into the MySQL database without hassles with double quotes, single quotes or any other wierd characters permissable int he text, I need to do that via passing to a new page (I'm trying via a form). I also need the data entered into the database not to be in escaped form.

    Originally I did it as you suggested in your example with double quotes around $stringsblock (but without herdoc) but the html form interprets the first double quote of the string as a end to the form info and thus passes a variable containign nothing ie "" through which therfore means the SQL will not work.

    Then I tied using single quotes in the form and double quotes in the string as per my example in the first post. However this means I cannot use double or single quotes in my text because if single quotes are used the form will interpret them as the end of the form info and if double quotes are used it will do similar with the SQL command.
    Last edited by trias; 01-20-2004 at 02:09 PM.

  • #5
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,273
    Thanks
    4
    Thanked 83 Times in 82 Posts
    <? ?> are shrort tags and can only be used if they are enabled in the php configuration.

    Just change those to regular tags

    PHP Code:
    <p>Do you wish to enact the <?php echo $dbaction?> command?</p>
    <p>&nbsp;</p>
    <form name="form1" method="post" action="action01.php">
      <input type="hidden" name="table" value="<?php echo $table?>">
      <input type="hidden" name="fieldsblock" value="<?php $fieldsblock?>">
      <input type="hidden" name="stringsblock" value="<?php $stringsblock?>">
      <input type="hidden" name="dbaction" value="<?php $dbaction?>">
    As firepages said, echo things out only when needed. Don't echo everything. That just leads you to the problem you are having now in keeping up with quotes and having to escape them.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #6
    New Coder
    Join Date
    Jan 2004
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Your point is taken I will do that. It should help readability anyway.

    However no one really understood my question. Obviously I need a bit more skill in explaining things. My core problem was escaping the double quotes of the html form not the double quotes of the echo command. I have solved that problem thanks to a guy in the html forum here by using php’s htmlentities fucntion.

    My other problem is escaping the double quotes in my VALUES for a MySQL command without storing slashes in the database and it’s all linked together with php being the method I’m using to get around the problems.

    I was wondering if htmlentities stacks. Trying to explain here. That is if I had this string (1)

    Confuscious say "pregnant woman who ask when baby move not know baby not move till after college."

    then applied htmlentities should get (2)

    Confuscious say &quotpregnant woman who ask when baby move not know baby not move till after college.&quot

    and html_entities_decode should decode it back the the first version. However, if I instead concatentated a bit more to get (3)

    Post contains "Confuscious say &quotpregnant woman who ask when baby move not know baby not move till after college.&quot"

    and did htmlentities again could the string (4) formed (I have no idea how ti would look) then made be put through html_entities_decode to form string (3) and then put it thorugh again to get a string something like (5) below or would it just jump straight to (5) after the first html_entities_decode?

    Post contains "Confuscious say “pregnant woman who ask when baby move not know baby not move till after college.”"

  • #7
    New Coder
    Join Date
    Jan 2004
    Location
    Australia
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I have found the answer to the above is no, htmlentities doesn't stack.

    I've used double quoting to ie "" to get around this problem.

  • #8
    CEJ
    CEJ is offline
    New to the CF scene
    Join Date
    Jun 2009
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The problem is htmlentities() and htmlspecialchars() aren't replacing single quotes.

    Lets say the value you are drawing from the database is for the sake of simplicity, $value, and that value is "Trias's Value".

    You wouldn't execute htmlentities($value), but rather htmlentities($value, ENT_QUOTES), which tells php to convert both single and double quotes to their html entity.

    Hope this helps.

  • #9
    New Coder
    Join Date
    Jun 2009
    Posts
    15
    Thanks
    0
    Thanked 1 Time in 1 Post
    You can create the form with singles and doubles and an echo, though you may or may not want too.

    PHP Code:
    <?php 

    echo "<form name='form1' method='post' action='action01.php'>
    <input type='hidden' name='table' value='"
    .$table."'>
    <input type='hidden' name='fieldsblock' value='"
    .$fieldsblock."'>
    <input type='hidden' name='stringsblock' value='"
    .$stringsblock."'>
    <input type='hidden' name='dbaction' value='"
    .$dbaction."'>";
     
    ?>


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •