PHP - Which To Use? Curly Quotes, Straight Quotes, <q> Tags Or Html Entities?

A problem has arisen which puzzles me. I have forms which save data to MySql and retrieve it, showing it as the default data in the form. Naturally I escape any quotes before sending it to the database and remove the slashes when I retrieve it. But the form HTML code shows the data like this value="$variable" which is fine when only single quotes are used in the data but causes a problem when the user uses double quotes. So data of John \"Jack\" Smith would be output as value="John "Jack" Smith" with obvious problems. If I use value='...' then that would cause problems with single quotes.

I haven't seen the answer in any of my books. The only things I can think of is changing all double quotes to single before saving to DB or converting them with htmlspecialcharacters so they are no longer actual quotes.

I have a navigation list displaying which is a mix of html and php, everything is working fine however now I want to convert this block of code into a function but am having major problems with quotes.

The line of code I currently have is 

$data = $db->query("SELECT * FROM menu")->fetchAll(PDO::FETCH_ASSOC);

foreach ($data as $row) { ?>
     <li><a href="<?php echo $row['url']; ?>" title="<?php echo $row['title']; ?>"><?php echo $row['icon'] . ' ' . $row['header']; ?></a></li>

<?php
	}
?>

As I say everything works using the above but now I am trying to echo the full li out and am having major issues with single and double quotes.

I currently have 

echo "<li><a href='#' title='the title'><i class='fas fa-user site-nav--icon'></i> Help</a></li>";

Now I am trying to use the $row['url'], $row['title'], $row['icon'] & $row['header'] as per the top example but I cannot get the combination of quote marks correct, whether to use double, single or a combination.

I would be grateful if someone could suggest the correct syntax for the a tag then I can work through the rest.

Thanks

for print html : What's Better, Faster and Optimized ?!?

Code: [Select]
echo "<tr height=\"22\">
    <form action = \"{$URL}/admin/edit.php\" method=\"POST\">
      <input type=\"hidden\" name=\"login\">
      <td width=\"15%\" bgcolor=\"$bgcolor\">&nbsp;<input type = \"text\" name = \"login\" value=" . $f['login'] . "></td>
      <td width=\"15%\" bgcolor=\"$bgcolor\">&nbsp; <input type = \"password\" name = \"password\" value=" . $f['pass'] . "> </td>
    </form>
        </tr>";

With PHP Method 2 : ( single )

Code: [Select]
echo ' <tr><form action = "' . URL . '/admin/editadmins.php" method="POST"> ';
 echo ' <td align="left" valign="top"><input type = "text" name = "login" value = "' . $f['login'] . '"></td>';
 echo ' <td align="left" valign="top"><input type = "password" name = "password" value = "' . $f['pass'] . '"></td></form></tr>';

Method 3 : (With Html And Php echo )

Code: [Select]
<tr height="22">
<form action = "../admin/editadmins.php" method="POST">
<td align="left" valign="top"><input type = "text" name = "login" value = "<?PHP echo $f['login']; ?>"></td>
<td align="left" valign="top"><input type = "text" name = "password" value = "<?PHP echo $f['pass']; ?>"></td>
</form>
<tr>
Thanks.

Hi all

I have a field in mySQL table called dimensions. It has the double quote in in for inches - "

When I echo the result from the mySQL query on the item page (Customer facing) it's fine. However, I have built a form so that the administrator can edit the dimensions in the admin panel and when I echo it out in to the form field it stops when it gets to the double quotes?

Pete

Hello,

Using the following code, I'm extracting the $current_solution from my database.  However, if the variable has quotes in it, I get gobbledegook.  Code: [Select]
<input type ="radio" name="solution" <?php  echo 'value="' . $current_solution . '"' ?> id="solution" <?php if ($row['solution'] == $current_solution) {echo 'checked = "yes"';} ?>/><?php echo$current_solution; ?></label>
As an example, if the $current_solution variable is:  A right-side up letter u   then I get:

" id="solution" checked = "yes"/>
A right-side up letter "u".

I know that it's a quote issue but am not sure how to fix it.  I tried adding slashes but I fear that it didn't work.  Any thoughts on this would be appreciated!

Thanks so much,

Eric

i have some code which checks to see if a username  and an email is in use. from what i can understand, it uses magic quotes to prevent sql injection. i've heard that magic quotes are not going to be in use in php6, so how can i change it so that it uses real escape string instead?

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'") 
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already registered to another account.');
}


Thanks

I'm trying to figure out why it won't display the quote(s) for the selected person. I echoed the query and it's getting the correct id its just not displaying correctly. Any ideas?

function getQuotes($id) {
$id=mysql_real_escape_string($id);
$sql = "SELECT * FROM `efed_bio_quotes` WHERE bio_id = '$id'";
$re = mysql_query($sql);
$i = 0;
$quotes = array();
$row = mysql_fetch_assoc($re);
extract($row);
?>
<ul id="quotes">
<?php
if(count($quotes) > 0){
for($i = 0; $i < count($quotes); $i++){
echo "<li>".$quotes[$i]."</li>";
}
}
else{
echo '<li>This wrestler has no quotes.</li>';
}
?>
</ul>
<?php
}

Hi, newbie here.
Could someone show me how to properly escape the quotes in this code so it works properly? I'm having major problems with it, thanks.

echo "<td style="background-color:#fff"
 onMouseover="this.style.backgroundColor='#ff9900';"
 onMouseout="this.style.backgroundColor='#fff';">"

Hi...

I'm trying to get this code to work:
echo "<a href='". $row['img_path']."'><img border=0 src='". $row['thumb_bw_path']."' onmouseover='this.src='". $row['thumb_path']."'' onmouseout='this.src='". $row['thumb_bw_path']."'' />". "</a></td> \n";

To get the hover effect that i want there is alot of quotes. The hover effect does not work and i guess it is
because of the wrong use of quotes.
The correct way is:
Code: [Select]
onmouseover="this.src='source_to_image'"
But the use of double quotes " is not possible...
Is there a simple solution to this?

Alright, I've troubleshooted for about an hour on this and still can't figure it out, I've got the following line of code:

             Code: [Select]
$newstring = '$search = mysql_query("SELECT * FROM cmscbesalke.game where gameTitle = '".$gametitle."'");';
that is giving the following error:

Parse error: syntax error, unexpected '"' in /home/content/06/8675706/html/edit.game.php on line 136

I've tried to do the following as well:
Escaping the ", adding in extra . operators, and removing quotes.

The complicated part here is that I need the fwrite to write the $gametitle variable, with single quotes around it that way the mysql_query will return the correct database entry, but everytime I get the line of code to work it does not put the quotes.

So, I think you have all heard the news. THEY ARE GONE!

Unfortunately, I do have some old code that I do not feel like going line by line and updating. I was wounding if you guys could help me out.

I was hoping that there would be a way to set a define of some sort then when I grab something out of an SQL table it will automatically takeout the "\" (Slashes) and when I insert something into the database it will add the slashes...

YES I know and have read the statement written by the php group [http://www.php.net/manual/en/securit...uotes.why.php] But i do not particularly want to go through my code and change everything by hand.

If you have any idea, or would like me to explain it another way, please post.

Any help will be greatly appreciated.

--redcrusher

If I put into the database this string: Call the wife's son tomorrow

How do I put it in to keep that apostrohe (wife's) and then when I retrieve it, also keep it without it displaying as wife/'s

If I use stripslashes I think that just gets rid of the slash, but I want to KEEP the slash (but still protecting the database so it is not seen as a quote by the php code).

I hope this is clear :-)

My old server had magic_quotes_gpc turned on. My new one does not.
Will mysql_real_escape_string solve all the issues that magic_quotes was used for?
My site runs a blogging application and it seems some of the templates which contain a lot of html and css do not insert into the database properly even when using mysql_real_escape_string.

Thanks,

Brian

 

same(this.getParams['vb'], ab.fill(), 'vb test');

    Expected: false
Result: "false"
Diff:     
false "false"   Please tell me how to fix this problem.

I've got a file with some strings that have both types of quotes in them.  And I seem to have managed to get the data, display it in my html, store it in a js array (using a json_encode in php and then simply inserting it into my js) but I cannot seem to pass the string as a parameter form an onclick function call to js.    For most strings the addslashes makes it work in the function call.  But for those with both sets of quotes it won't work.  My console tells me there are "unterminated string constants..".  I've experimented with many silly changes but none make it work.   Ex. of the strings:   What do you mean "It's crooked"?   Of course I could remove the contraction and that would probably work, but that would be a hack, would not it?