PHP - Converting Smart Quotes To Regular Quotes

A problem has arisen which puzzles me. I have forms which save data to MySql and retrieve it, showing it as the default data in the form. Naturally I escape any quotes before sending it to the database and remove the slashes when I retrieve it. But the form HTML code shows the data like this value="$variable" which is fine when only single quotes are used in the data but causes a problem when the user uses double quotes. So data of John \"Jack\" Smith would be output as value="John "Jack" Smith" with obvious problems. If I use value='...' then that would cause problems with single quotes.

I haven't seen the answer in any of my books. The only things I can think of is changing all double quotes to single before saving to DB or converting them with htmlspecialcharacters so they are no longer actual quotes.

Hello,

Using the following code, I'm extracting the $current_solution from my database.  However, if the variable has quotes in it, I get gobbledegook.  Code: [Select]
<input type ="radio" name="solution" <?php  echo 'value="' . $current_solution . '"' ?> id="solution" <?php if ($row['solution'] == $current_solution) {echo 'checked = "yes"';} ?>/><?php echo$current_solution; ?></label>
As an example, if the $current_solution variable is:  A right-side up letter u   then I get:

" id="solution" checked = "yes"/>
A right-side up letter "u".

I know that it's a quote issue but am not sure how to fix it.  I tried adding slashes but I fear that it didn't work.  Any thoughts on this would be appreciated!

Thanks so much,

Eric

My old server had magic_quotes_gpc turned on. My new one does not.
Will mysql_real_escape_string solve all the issues that magic_quotes was used for?
My site runs a blogging application and it seems some of the templates which contain a lot of html and css do not insert into the database properly even when using mysql_real_escape_string.

Thanks,

Brian

So, I think you have all heard the news. THEY ARE GONE!

Unfortunately, I do have some old code that I do not feel like going line by line and updating. I was wounding if you guys could help me out.

I was hoping that there would be a way to set a define of some sort then when I grab something out of an SQL table it will automatically takeout the "\" (Slashes) and when I insert something into the database it will add the slashes...

YES I know and have read the statement written by the php group [http://www.php.net/manual/en/securit...uotes.why.php] But i do not particularly want to go through my code and change everything by hand.

If you have any idea, or would like me to explain it another way, please post.

Any help will be greatly appreciated.

--redcrusher

Hi, newbie here.
Could someone show me how to properly escape the quotes in this code so it works properly? I'm having major problems with it, thanks.

echo "<td style="background-color:#fff"
 onMouseover="this.style.backgroundColor='#ff9900';"
 onMouseout="this.style.backgroundColor='#fff';">"

Alright, I've troubleshooted for about an hour on this and still can't figure it out, I've got the following line of code:

             Code: [Select]
$newstring = '$search = mysql_query("SELECT * FROM cmscbesalke.game where gameTitle = '".$gametitle."'");';
that is giving the following error:

Parse error: syntax error, unexpected '"' in /home/content/06/8675706/html/edit.game.php on line 136

I've tried to do the following as well:
Escaping the ", adding in extra . operators, and removing quotes.

The complicated part here is that I need the fwrite to write the $gametitle variable, with single quotes around it that way the mysql_query will return the correct database entry, but everytime I get the line of code to work it does not put the quotes.

If I put into the database this string: Call the wife's son tomorrow

How do I put it in to keep that apostrohe (wife's) and then when I retrieve it, also keep it without it displaying as wife/'s

If I use stripslashes I think that just gets rid of the slash, but I want to KEEP the slash (but still protecting the database so it is not seen as a quote by the php code).

I hope this is clear :-)

I'm trying to figure out why it won't display the quote(s) for the selected person. I echoed the query and it's getting the correct id its just not displaying correctly. Any ideas?

function getQuotes($id) {
$id=mysql_real_escape_string($id);
$sql = "SELECT * FROM `efed_bio_quotes` WHERE bio_id = '$id'";
$re = mysql_query($sql);
$i = 0;
$quotes = array();
$row = mysql_fetch_assoc($re);
extract($row);
?>
<ul id="quotes">
<?php
if(count($quotes) > 0){
for($i = 0; $i < count($quotes); $i++){
echo "<li>".$quotes[$i]."</li>";
}
}
else{
echo '<li>This wrestler has no quotes.</li>';
}
?>
</ul>
<?php
}

Hi...

I'm trying to get this code to work:
echo "<a href='". $row['img_path']."'><img border=0 src='". $row['thumb_bw_path']."' onmouseover='this.src='". $row['thumb_path']."'' onmouseout='this.src='". $row['thumb_bw_path']."'' />". "</a></td> \n";

To get the hover effect that i want there is alot of quotes. The hover effect does not work and i guess it is
because of the wrong use of quotes.
The correct way is:
Code: [Select]
onmouseover="this.src='source_to_image'"
But the use of double quotes " is not possible...
Is there a simple solution to this?

i have some code which checks to see if a username  and an email is in use. from what i can understand, it uses magic quotes to prevent sql injection. i've heard that magic quotes are not going to be in use in php6, so how can i change it so that it uses real escape string instead?

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already registered to another account.');
}


Thanks

I'm designing a website that takes user input from in a <textarea></textarea> and enters the input into a database. Everything works besides if the user has double quotes (") in his/her message. (the name of the table that I want to add to is alluserposts)

What i have so far is the following:
from index.php:
<form action="insert2.php" method="post"><textarea name="user_post" rows="6" cols="35"></textarea></form>

from insert2.php:
mysql_query("INSERT INTO alluserposts (post_value) VALUES(" . "\"" . $_POST['user_post'] . "\")" ,$db) or die(mysql_error($db));

I want the user to be able to input any character. How can i do that?

Greetings,

I'm trying to execute a shell command with a user-supplied password as input.  The password may contain apostrophes and and virtually any other character.  Unfortunately, when using escapeshellarg(), the password argument is interpreted as two separate arguments, as escapeshellarg() will handle apostrophes (single quotes) by breaking out of the already quoted text and using a backslash escape.


$password = escapeshellarg("ex'ample!%");  // The password will actually be supplied by an HTML form.

$command = ('echo '.$password);

echo "$command";

// Returns 'ex'\''ample!%'


Does anyone have any input on how to accomplish what I'm trying to do?  I'd like to allow obscure passwords without disallowing specific characters, while still being "safe" in passing the information to a shell command.  Double quotes would work for passing single quotes, but I'm afraid I might break other characters there.

Thanks.

Hi im struggling to find out how to get an if statement working with my random quote creator, here is the coding:
Code: [Select]
<?php
include 'connect.php';
session_start();
$username = $_SESSION['loginusername'];

$result = mysql_query("SELECT * FROM boxerinfo WHERE fighterrequest = '$username'");

while($row = mysql_fetch_array($result))
  {
$quotes[] = 'Go ahead, bite the big apple, don\'t mind the maggots, uh huh.';
$quotes[] = 'Happiness is a warm gun. (bang-bang, shoot-shoot.)';
$quotes[] = 'You may be a lover but you ain\'t no dancer.';
$quotes[] = 'Yeah you got lucky, babe. When I found you.';
$quotes[] = 'Out here in the fields, I fight for my meals.';
$quotes[] = 'You go back, jack, do it again. Wheel turnin\' round and round.';
$quotes[] = 'Don\'t let the sound of your own wheels drive you crazy.';
$quotes[] = 'Lord I\'m learning so much more, than back when I knew it all.';
$quotes[] = 'You get too much you get too high. Not enough and you\'re gonna die.';
$quotes[] = 'You were wrong when you said, \'everything was gonna be alright.\'';
$quotes[] = 'I know just what you need. I might just have the thing.';
$quotes[] = 'I am hot, and when I\'m not, I\'m cold as ice.';
$random_number = rand(0,count($quotes)-1);

echo $quotes[$random_number];
 
  }
?>
I just want if $quotes = (a certain quote) then insert into mysql table, anyone know how to do this on an array?

thanks

Hello there. Well this problem maybe basic but is kind of annoying me. I havea solution to it which I wil lexplain.

I have created a .php document which has html codes as well. It is a form that provides validation, for arguments sake lets say it is a form that validates if a user has entered their username and password, if not it will produce an error.

The problem I am having is I have embedded the code inside the echo
"
code is here
";
Now I have looked at escape characters and tried afew things, yet it still produces the same error on the same line.

Example

   echo

"      
   
   
   !!!!!!!<form action='book.php' method='post' onsubmit="return checkForm('flogin');">!!!!!!
   The reset of the form is here .....
   
   "";
   echo

The area highlighted in exclamation marks is where the area occurs, due to the quotes.


Any suggestions.


Thanks.

I am wondering since in php when you write string in " " quotes php will look if there is any variable and if it is it will read that variable and replace variable name with that value inside the string. However when i use ' ' quotes php will not look for any variables inside that string. So my question is when you write a really big application is it good to always use ' '  quotes when you can instead of " " ones. Does that have an impact on performance. Thanks