|
PHP - Escape Quotes Function?
I'm using a PHP foreach loop to set Javascript array values from PHP array values The problem is that some of the array values contain double quotes(") so it compromises the JS script. Is there a PHP function that automatically escapes each double quote in a given string?
Similar TutorialsThis code only works in firefox <a onMouseout='hidetooltip()' onMouseover='tooltip(\"<img src=img/heroes/$hero.gif\")' href='hero.php?hero=$hero'>Text</a> Btw, I use this in echo (php). How to get quotes (triple) on <img src= ? I also have tried <img src='img/heroes/$hero.gif' But only works on FireFox Hello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.
The issue: When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:
$val = str_replace(chr('NUL'), '\0', $val);
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);
Thanks
Hi, This escape function will only block quotes How would you stop java script insertion?
function escape($string) {
return htmlentities($string, ENT_QUOTES, 'UTF-8');
}
Thanks
i have made function of prepare or check the mysql real escapte string but when i run this code it gives two warnings msg Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\cart\include\db.php on line 42 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\cart\include\db.php on line 42 kindly tell me what is this msg about how to solve it my code is 37 public function mysql_prep($value){ 38 $magic_quotes_active=get_magic_quotes_gpc(); 39v$new_enough_php=function_exists("mysql_real_escape_string"); 40 if($new_enough_php){ 41if($magic_quotes_active){ $value=stripslashes($value);} 42 $value= mysql_real_escape_string($value);} 43 else { 44 if($magic_quotes_active){$value=addslashes($value);} 45} 46 return $value; 48 } I'm using the codeigniter mvc framework and there's an escape function to use before adding the data to the database. This function adds single quotes around the string of data. Is there any already existing php function or does anyone know how to code a function that strips ONLY the surrounding single quotes? Quotation marks are confusing me.
What do you guys use when it comes to quotation marks?
In HTML attributes and throughout the bodies of my web pages, I use the HTML entity ("). For example:
<a href="" title="Read "Article Name""> <p>In his new book, he says: "This is a quote."</p>I thought that this is the best practice. However, today, I read that it's perfectly safe to use straight quotes (") in the body, and that I should use the HTML entity only in HTML attributes. Is that correct? But what if I want to use curly quotes in the body instead of straight quotes? Should I always use the HTML entities for curly quotes (“ and ”), or can I also safely use the characters (“”)? I heard that straight quotes are safe in all browsers, even if you don't specify the character set of your web pages, but that curly quotes are only safe if you specify the character set or if you use the HTML entities. Is that true? And what about the <q> tag? Apparently, it's compatible with all browsers but they treat it differently. Edited by Fluoresce, 30 August 2014 - 07:37 AM. Hello everyone! This is my first post. I am very new to php and mysql and coding in general. It has not been made 100% clear to me as to when I should use single quotes, double quotes, and {}. From what I gather you use single quotes for literal interpretation... so if you put something like a variable in single quotes and echoed it, it would literally echo it as it is written and not the value of the variable. in double quotes, I gather that it will echo the value of the variable. as for {} I am unclear as to when to use the curly brackets for a variable. I am assuming if you had a statement in single quotes and you put a variable in curly brackets you would get the value of the variable?
Edited by LazerOrca, 25 November 2014 - 11:20 PM. The fancy-looking quotes won't insert into my DB, so I'm trying to convert them to %93 & %94 or normal quotes.
Nothing I've tried works.
Code:
$fancy=" “test” "; $fixed=htmlentities($old, ENT_QUOTES); echo "fancy: $fancy<br>"; echo "fixed: $fixed"; Results: fancy: “test” fixed: I want $fixed to be %93test%94, or even "test" would work. Edited by rwmaho, 18 October 2014 - 01:28 PM. I don't think I've asked this before have I?? can someone give me an internet KB that gives me all scenarios that warrant using singles or doubles? as in, wrapping values, variables, and why I need to do either, and when, etc, etc....? thanks Edited March 29 by ajetrumpetA problem has arisen which puzzles me. I have forms which save data to MySql and retrieve it, showing it as the default data in the form. Naturally I escape any quotes before sending it to the database and remove the slashes when I retrieve it. But the form HTML code shows the data like this value="$variable" which is fine when only single quotes are used in the data but causes a problem when the user uses double quotes. So data of John \"Jack\" Smith would be output as value="John "Jack" Smith" with obvious problems. If I use value='...' then that would cause problems with single quotes. I haven't seen the answer in any of my books. The only things I can think of is changing all double quotes to single before saving to DB or converting them with htmlspecialcharacters so they are no longer actual quotes. Hey! Code: [Select] echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly? Hi guys, I think escaping is the correct term, apologies if its not. Could anyone show me how I can escape this so it works? Thanks Code: [Select] echo "[ - <a href="/$dir/game_play.php">Play</a> - ]"; Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this: Code: [Select] Hi everyone. <b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other? I haven't coded HTML or PHP in several years and am trying to get back into it. Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest. Maybe it was using something like { } but I don;t recall. I also seem to recall that wisely choosing where to use single (') and double (") quote was key! For example, how could this code be cleaner?
echo '<table id="membershipPlans"> <!-- Column Groups --> <colgroup> <col id="feature">'."\r"; foreach ($plan_names as $p_id => $p_name): echo '<col id="option0'.$p_id.'">'."\r"; endforeach; echo '</colgroup>";
Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> I've got a basic text input area within a form for users to add a brief bio about themselves. I made sure to use mysql_real_escape_string to avoid problems with special characters. However, when I want to display the content within the text area when a user chooses to update or change their bio, the text displays the escape characters. How do I display data from my db without the user having to deal with the escape characters? I am having problems understanding how to sanitize my form data so it is safe to INSERT. If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = mysqli_real_escape_string($dbc, $trimmed['body']); And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O\'Reilly\'s book --------- If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = $trimmed['body']; And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O'Reilly's book Why the strange behavior?? Debbie |
|||||||