PHP - Help- My Code Fails To Convert New Quotes (“foo”) To Old Quotes ("foo")

A problem has arisen which puzzles me. I have forms which save data to MySql and retrieve it, showing it as the default data in the form. Naturally I escape any quotes before sending it to the database and remove the slashes when I retrieve it. But the form HTML code shows the data like this value="$variable" which is fine when only single quotes are used in the data but causes a problem when the user uses double quotes. So data of John \"Jack\" Smith would be output as value="John "Jack" Smith" with obvious problems. If I use value='...' then that would cause problems with single quotes.

I haven't seen the answer in any of my books. The only things I can think of is changing all double quotes to single before saving to DB or converting them with htmlspecialcharacters so they are no longer actual quotes.

Hello,

Using the following code, I'm extracting the $current_solution from my database.  However, if the variable has quotes in it, I get gobbledegook.  Code: [Select]
<input type ="radio" name="solution" <?php  echo 'value="' . $current_solution . '"' ?> id="solution" <?php if ($row['solution'] == $current_solution) {echo 'checked = "yes"';} ?>/><?php echo$current_solution; ?></label>
As an example, if the $current_solution variable is:  A right-side up letter u   then I get:

" id="solution" checked = "yes"/>
A right-side up letter "u".

I know that it's a quote issue but am not sure how to fix it.  I tried adding slashes but I fear that it didn't work.  Any thoughts on this would be appreciated!

Thanks so much,

Eric

My old server had magic_quotes_gpc turned on. My new one does not.
Will mysql_real_escape_string solve all the issues that magic_quotes was used for?
My site runs a blogging application and it seems some of the templates which contain a lot of html and css do not insert into the database properly even when using mysql_real_escape_string.

Thanks,

Brian

Alright, I've troubleshooted for about an hour on this and still can't figure it out, I've got the following line of code:

             Code: [Select]
$newstring = '$search = mysql_query("SELECT * FROM cmscbesalke.game where gameTitle = '".$gametitle."'");';
that is giving the following error:

Parse error: syntax error, unexpected '"' in /home/content/06/8675706/html/edit.game.php on line 136

I've tried to do the following as well:
Escaping the ", adding in extra . operators, and removing quotes.

The complicated part here is that I need the fwrite to write the $gametitle variable, with single quotes around it that way the mysql_query will return the correct database entry, but everytime I get the line of code to work it does not put the quotes.

If I put into the database this string: Call the wife's son tomorrow

How do I put it in to keep that apostrohe (wife's) and then when I retrieve it, also keep it without it displaying as wife/'s

If I use stripslashes I think that just gets rid of the slash, but I want to KEEP the slash (but still protecting the database so it is not seen as a quote by the php code).

I hope this is clear :-)

i have some code which checks to see if a username  and an email is in use. from what i can understand, it uses magic quotes to prevent sql injection. i've heard that magic quotes are not going to be in use in php6, so how can i change it so that it uses real escape string instead?

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already registered to another account.');
}


Thanks

I'm trying to figure out why it won't display the quote(s) for the selected person. I echoed the query and it's getting the correct id its just not displaying correctly. Any ideas?

function getQuotes($id) {
$id=mysql_real_escape_string($id);
$sql = "SELECT * FROM `efed_bio_quotes` WHERE bio_id = '$id'";
$re = mysql_query($sql);
$i = 0;
$quotes = array();
$row = mysql_fetch_assoc($re);
extract($row);
?>
<ul id="quotes">
<?php
if(count($quotes) > 0){
for($i = 0; $i < count($quotes); $i++){
echo "<li>".$quotes[$i]."</li>";
}
}
else{
echo '<li>This wrestler has no quotes.</li>';
}
?>
</ul>
<?php
}

Hi, newbie here.
Could someone show me how to properly escape the quotes in this code so it works properly? I'm having major problems with it, thanks.

echo "<td style="background-color:#fff"
 onMouseover="this.style.backgroundColor='#ff9900';"
 onMouseout="this.style.backgroundColor='#fff';">"

So, I think you have all heard the news. THEY ARE GONE!

Unfortunately, I do have some old code that I do not feel like going line by line and updating. I was wounding if you guys could help me out.

I was hoping that there would be a way to set a define of some sort then when I grab something out of an SQL table it will automatically takeout the "\" (Slashes) and when I insert something into the database it will add the slashes...

YES I know and have read the statement written by the php group [http://www.php.net/manual/en/securit...uotes.why.php] But i do not particularly want to go through my code and change everything by hand.

If you have any idea, or would like me to explain it another way, please post.

Any help will be greatly appreciated.

--redcrusher

Hi...

I'm trying to get this code to work:
echo "<a href='". $row['img_path']."'><img border=0 src='". $row['thumb_bw_path']."' onmouseover='this.src='". $row['thumb_path']."'' onmouseout='this.src='". $row['thumb_bw_path']."'' />". "</a></td> \n";

To get the hover effect that i want there is alot of quotes. The hover effect does not work and i guess it is
because of the wrong use of quotes.
The correct way is:
Code: [Select]
onmouseover="this.src='source_to_image'"
But the use of double quotes " is not possible...
Is there a simple solution to this?

Greetings,

I'm trying to execute a shell command with a user-supplied password as input.  The password may contain apostrophes and and virtually any other character.  Unfortunately, when using escapeshellarg(), the password argument is interpreted as two separate arguments, as escapeshellarg() will handle apostrophes (single quotes) by breaking out of the already quoted text and using a backslash escape.


$password = escapeshellarg("ex'ample!%");  // The password will actually be supplied by an HTML form.

$command = ('echo '.$password);

echo "$command";

// Returns 'ex'\''ample!%'


Does anyone have any input on how to accomplish what I'm trying to do?  I'd like to allow obscure passwords without disallowing specific characters, while still being "safe" in passing the information to a shell command.  Double quotes would work for passing single quotes, but I'm afraid I might break other characters there.

Thanks.

I'm using a PHP foreach loop to set Javascript array values from PHP array values  The problem is that some of the array values contain double quotes(") so it compromises the JS script.  Is there a PHP function that automatically escapes each double quote in a given string?

I've got a file with some strings that have both types of quotes in them.  And I seem to have managed to get the data, display it in my html, store it in a js array (using a json_encode in php and then simply inserting it into my js) but I cannot seem to pass the string as a parameter form an onclick function call to js.    For most strings the addslashes makes it work in the function call.  But for those with both sets of quotes it won't work.  My console tells me there are "unterminated string constants..".  I've experimented with many silly changes but none make it work.   Ex. of the strings:   What do you mean "It's crooked"?   Of course I could remove the contraction and that would probably work, but that would be a hack, would not it?

Nevermind.  Changed the following and it works:

->withHeader('Content-Disposition', 'attachment; filename="'.$name.'"')

When downloading a file, the name of the file is 'report.csv' (it literally has single quotes around it so Window's does recognize it as a CSV file).  I am obviously adding them, but I am not sure where.  The workflow is browser requests from webserver,  webserver performs cURL request to a second server, second server creates CSV file and returns it to webserver which returns it to browser client.  My code is below (I removed some unrelated script for briefness, but should have all pertinent code).  Do you see the culprit?  Any recommendations on how to troubleshoot?  Thanks

 

Browser Client

$('#list-header').on('click', '.download-data', function() {
    window.location.assign("/api/query/trend?parameters=foo&Accept=csv");
});

Webserver

$app->get('/api/query/trend', function(Request $request, Response $response) {
    $uri = $request->getUri();
    $path = substr($uri->getPath(), 4); //Remove "/api" from uri
    return $this->serverBridge->proxy($request->withUri($uri->withPath($path)), $response);
});

$c['serverBridge'] = function ($c) {
    return new \NotionCommotion\ServerBridge\ServerBridge(
        new \GuzzleHttp\Client([
            'base_uri' => $c['settings']['server']['scheme'].'://'.$c['settings']['server']['host'],
            'headers' => ['X-NotionCommotion-Key' => $c['settings']['server']['key']],
            'timeout'  => 30,
        ])
    );
};

class ServerBridge
{

    private $httpClient;

    public function __construct(\GuzzleHttp\Client $httpClient){
        $this->httpClient=$httpClient;  //Must be configured with default path
    }

    public function proxy(\Slim\Http\Request $slimRequest, \Slim\Http\Response $slimResponse):\Slim\Http\Response {
        //Forwards Slim Request to another server and returns the updated Slim Response.
        //TBD whether this method should change urlencoded body if provided to JSON and change Content-Type header.
        //TBD whether this method should change not send Slim request to Guzzle, but instead create a new Guzzle request and apply headers as applicable.
        $body=$slimRequest->getBody();
        $slimRequest=($contentType=$slimRequest->getContentType())
        ?$slimRequest->withUri($slimRequest->getUri()->withHost($this->getHost(false)))  //Change slim's host to API server!
        :$slimRequest->withUri($slimRequest->getUri()->withHost($this->getHost(false)))->withHeader('Content-Type', $contentType);  //And also apply Content-Type

        $guzzleResponse=$this->httpClient->send($slimRequest);
        //Blacklist headers which should not be changed.  TBD whether I should whitelist headers instead.
        $excludedHeaders=['Date', 'Server', 'X-Powered-By', 'Access-Control-Allow-Origin', 'Access-Control-Allow-Methods', 'Access-Control-Allow-Headers'];
        $headerArrays=array_diff_key($guzzleResponse->getHeaders(), array_flip($excludedHeaders));
        foreach($headerArrays as $headerName=>$headers) {
            foreach($headers as $headerValue) {
                $slimResponse=$slimResponse->withHeader($headerName, $headerValue);
            }
        }
        return $slimResponse->withStatus($guzzleResponse->getStatusCode())->withBody($guzzleResponse->getBody());
    }

    private function getHost(bool $includeSchema=true):string {
        $baseUri=$this->httpClient->getConfig()['base_uri'];
        return $includeSchema?$baseUri->getScheme().'://'.$baseUri->getHost():$baseUri->getHost();
    }
}

API Server

$app->get('/query/trend', function (Request $request, Response $response) {
    $dataObject = $this->trendService->query($request->getQueryParams());
    $responder = new ResponseContent\ResponseContentCsv($response);
    return $responder->respond($dataObject);
);

class ResponseContentCsv
{
    protected  $response;

    public function __construct(\Psr\Http\Message\ResponseInterface $response) {
        $this->response=$response;
    }

    public function respond($dataObject) {

        $stream = fopen('php://memory', 'w+');

        //Use fputcsv() to write to stream

        $name='report.csv';
        rewind($stream);

        return $this->response->withBody(new \Slim\Http\Stream($stream))
        //->setOutputBuffering(false)
        ->withHeader('Content-Description', 'File Transfer')
        ->withHeader('Cache-Control', 'must-revalidate, post-check=0, pre-check=0')
        //->withHeader('Content-Type', 'text/csv')
        ->withHeader('Content-Disposition', "attachment; filename='$name'")
        ->withHeader('Expires', '0')
        //->withHeader('Content-Length', $doc->size),
        ->withHeader('Pragma', 'public');
    }
}

 

Edited May 5, 2019 by NotionCommotion
Figured out what I was doing wrong

Hi im struggling to find out how to get an if statement working with my random quote creator, here is the coding:
Code: [Select]
<?php
include 'connect.php';
session_start();
$username = $_SESSION['loginusername'];

$result = mysql_query("SELECT * FROM boxerinfo WHERE fighterrequest = '$username'");

while($row = mysql_fetch_array($result))
  {
$quotes[] = 'Go ahead, bite the big apple, don\'t mind the maggots, uh huh.';
$quotes[] = 'Happiness is a warm gun. (bang-bang, shoot-shoot.)';
$quotes[] = 'You may be a lover but you ain\'t no dancer.';
$quotes[] = 'Yeah you got lucky, babe. When I found you.';
$quotes[] = 'Out here in the fields, I fight for my meals.';
$quotes[] = 'You go back, jack, do it again. Wheel turnin\' round and round.';
$quotes[] = 'Don\'t let the sound of your own wheels drive you crazy.';
$quotes[] = 'Lord I\'m learning so much more, than back when I knew it all.';
$quotes[] = 'You get too much you get too high. Not enough and you\'re gonna die.';
$quotes[] = 'You were wrong when you said, \'everything was gonna be alright.\'';
$quotes[] = 'I know just what you need. I might just have the thing.';
$quotes[] = 'I am hot, and when I\'m not, I\'m cold as ice.';
$random_number = rand(0,count($quotes)-1);

echo $quotes[$random_number];
 
  }
?>
I just want if $quotes = (a certain quote) then insert into mysql table, anyone know how to do this on an array?

thanks