View Full Version : What happened to the quotes in my string?

10-27-2006, 07:26 PM
I'm pulling some data from a mySQL database and displaying it in a table. In many cases the data contains single quotes and double quotes. It displays fine in my table. The table contains form fields that let the user select rows to POST, then I process them etc...

The problem is when they post the form I'm losing everything after the first instance of a single or double quote, for example:

In my database record...
Ball valve, 2 1/2" 304 Stainless Steel (this is good)

In my html table...
Ball valve, 2 1/2" 304 Stainless Steel (this is good)

In $_POST['myfield']...
Ball valve, 2 1/2 (this is not good)

I have also tried using addslashes() to the data before posting it and get the following result...
Ball valve, 2 1/2\\ (this is not good)

Does anybody know what is causing this?

10-27-2006, 08:00 PM
What does your processed HTML form input element look like? post exact source.

ie. <input name="abc" value="your value with quotes" />

or if you're using a drop down.
<option value="your value with quotes" />

10-27-2006, 08:28 PM
You would need to use the add slashes when you recieve the data from the form before you insert the data into the database not when you print it to the page. The addslashes functions does just that. It adds \'s to your single and double quotes to make sure PHP does not try to interpret it as PHP code. And then when retrieve the data from the database you need to run stripslashes to remove the slashes that were inserted.

10-27-2006, 10:01 PM
Thanks for the responses, let me see if I can keep up...

Spookster - are you saying that the data in my database should have slashes in it? I use the following function to sanitize the data before I execute the query, this may be old school, I dunno.

if (get_magic_quotes_gpc()) {
$myVar = $_POST['whatever'];
} else {
$myVar = addslashes($_POST['whatever']);

The data in my database looks just like I posted above, there are no slashes.

ez - here's the code for the input field in the form:

printf(" <td> %s <input type=\"hidden\" name=\"description[]\" value=\"%s\" style=\"width:0px;\" </td>", $row["description"], $row["description"]);

10-27-2006, 11:31 PM
Just to update, I tried adding the data to the database with slashes in it. I still run into the problem. I tried echoing it before and after posting with strip slashes but I get the same result as before :(

10-31-2006, 01:11 AM
Well I figured it out (sort of). I made an assumption that the php writing my html (a table and a form) would write the same data to the hidden input as it would to the table. It wasn't.

I don't know why, maybe someone can explain, but the table was coming out fine and the input fields in the form were not. I had to end up using str_replace to replace all instances of quotes with &quot; to get the values into the form fields. It did not matter if my data was stored with slashes or not. I decided to do this when writing the table as well, just for piece of mind if nothing else. Here is the code that worked...

printf(" <td> %s <input type=\"hidden\" name=\"description[]\" value=\"%s\" style=\"width:0px;\" </td>",
str_replace("\"", "&quot;", $row["description"]), str_replace("\"", "&quot;", $row["description"]));