View Full Version : quoting and html forms with php

01-19-2004, 05:52 AM
I'm new to php so please forgive my relatively stupid questions.

I’m having trouble transferring data in a variable to a new page via php and a html structured form.

The variable contains a string ready for use in an sql command on the next page. It’s contains the values separated by “ and commas.
Eg “value1”, “value2, “value3”

The php generating the html form is below

echo "<p>Do you wish to enact the $dbaction command?</p>\n
<form name=\"form1\" method=\"post\" action='action01.php'>\n
<input type=\"hidden\" name=\"table\" value='$table'>\n
<input type=\"hidden\" name=\"fieldsblock\" value='$fieldsblock'>\n
<input type=\"hidden\" name=\"stringsblock\" value='$stringsblock'>\n
<input type=\"hidden\" name=\"dbaction\" value='$dbaction'>\n";

My first problem is if I have single quotes ie ‘ , the form presumably will terminate when it finds the first one. For now I have disallowed single quotes for it but I would prefer to allow it so words like don’t and can’t are OK. I’m also worried about how other characters like % and & might be interpreted by the form.

I’ve noticed the variable form the other side has escaping slashes added and have used stripslashes to remove those and this seems to work. Is this the correct practice?

Is using a form the main way to do it or should I be using another method?

01-19-2004, 04:58 PM
most efficient (and easier IMO) is to only use echo/print when actually needed...

<p>Do you wish to enact the <?=$dbaction;?> command?</p>
<form name="form1" method="post" action="action01.php">
<input type="hidden" name="table" value="<?=$table;?>">
<input type="hidden" name="fieldsblock" value="<?=$fieldsblock;?>">
<input type="hidden" name="stringsblock" value="<?=$stringsblock;?>">
<input type="hidden" name="dbaction" value="<?=$dbaction;?>">

if you need to load into a variable consider heredoc syntax ...

$str =<<<EOD
note can use unescaped 'single' or "double" quotes here
<p>Do you wish to enact the $dbaction command?</p>
<form name="form1" method="post" action="action01.php">
<input type="hidden" name="table" value="$table">
<input type="hidden" name="fieldsblock" value="$fieldsblock">
<input type="hidden" name="stringsblock" value="$stringsblock">
<input type="hidden" name="dbaction" value="$dbaction">

echo $str;

however in general escaping works like...

echo " escaped double
\"quote \" 'single quotes are ok here ' ";
echo ' now need to escape \'single\' quotes but doubles are "cool " ';

01-20-2004, 12:36 AM
Thanks much. I'll look up this heredoc syntax then. I was told using <? ?> was naughty by several ppl.

01-20-2004, 02:54 PM
Your script didn't work. The html form double quotes still interfere with the double quotes in the variable string. That's why I originally changed to use single quotes there.

I think I understand your heredoc thing but that's just another way of avoiding escaping single and double quotes.

It's not really what I need. Rather I need a way to get my string (which contains quotes) through the form which needs the quotes to operate.

To put it simply I have a string as I defined in the first post and I need that data to get into the MySQL database without hassles with double quotes, single quotes or any other wierd characters permissable int he text, I need to do that via passing to a new page (I'm trying via a form). I also need the data entered into the database not to be in escaped form.

Originally I did it as you suggested in your example with double quotes around $stringsblock (but without herdoc) but the html form interprets the first double quote of the string as a end to the form info and thus passes a variable containign nothing ie "" through which therfore means the SQL will not work.

Then I tied using single quotes in the form and double quotes in the string as per my example in the first post. However this means I cannot use double or single quotes in my text because if single quotes are used the form will interpret them as the end of the form info and if double quotes are used it will do similar with the SQL command.

01-20-2004, 03:59 PM
<? ?> are shrort tags and can only be used if they are enabled in the php configuration.

Just change those to regular tags

<p>Do you wish to enact the <?php echo $dbaction; ?> command?</p>
<form name="form1" method="post" action="action01.php">
<input type="hidden" name="table" value="<?php echo $table; ?>">
<input type="hidden" name="fieldsblock" value="<?php $fieldsblock; ?>">
<input type="hidden" name="stringsblock" value="<?php $stringsblock; ?>">
<input type="hidden" name="dbaction" value="<?php $dbaction; ?>">

As firepages said, echo things out only when needed. Don't echo everything. That just leads you to the problem you are having now in keeping up with quotes and having to escape them.

01-21-2004, 11:48 AM
Your point is taken I will do that. It should help readability anyway.

However no one really understood my question. Obviously I need a bit more skill in explaining things. My core problem was escaping the double quotes of the html form not the double quotes of the echo command. I have solved that problem thanks to a guy in the html forum here by using php’s htmlentities fucntion.

My other problem is escaping the double quotes in my VALUES for a MySQL command without storing slashes in the database and it’s all linked together with php being the method I’m using to get around the problems.

I was wondering if htmlentities stacks. Trying to explain here. That is if I had this string (1)

Confuscious say "pregnant woman who ask when baby move not know baby not move till after college."

then applied htmlentities should get (2)

Confuscious say &quotpregnant woman who ask when baby move not know baby not move till after college.&quot

and html_entities_decode should decode it back the the first version. However, if I instead concatentated a bit more to get (3)

Post contains "Confuscious say &quotpregnant woman who ask when baby move not know baby not move till after college.&quot"

and did htmlentities again could the string (4) formed (I have no idea how ti would look) then made be put through html_entities_decode to form string (3) and then put it thorugh again to get a string something like (5) below or would it just jump straight to (5) after the first html_entities_decode?

Post contains "Confuscious say “pregnant woman who ask when baby move not know baby not move till after college.”"

01-24-2004, 08:30 AM
I have found the answer to the above is no, htmlentities doesn't stack.

I've used double quoting to ie "" to get around this problem.

06-17-2009, 04:54 AM
The problem is htmlentities() and htmlspecialchars() aren't replacing single quotes.

Lets say the value you are drawing from the database is for the sake of simplicity, $value, and that value is "Trias's Value".

You wouldn't execute htmlentities($value), but rather htmlentities($value, ENT_QUOTES), which tells php to convert both single and double quotes to their html entity.

Hope this helps.

06-17-2009, 07:46 AM
You can create the form with singles and doubles and an echo, though you may or may not want too.


echo "<form name='form1' method='post' action='action01.php'>
<input type='hidden' name='table' value='".$table."'>
<input type='hidden' name='fieldsblock' value='".$fieldsblock."'>
<input type='hidden' name='stringsblock' value='".$stringsblock."'>
<input type='hidden' name='dbaction' value='".$dbaction."'>";