0

Alright, so there's still stuff I have yet to learn about PHP. I'm trying to retrieve data from a MySQLi database and it's all fine until I'm forced to choose between double quotes or single quotes breaking something. With real_escape_string, I can store string data that contains a single quote, and it just gets escaped with a backslash, but if I don't use stripslashes() when I insert it into the value attribute...

  1. If my value attribute looks like this in the code: value="_" then double quotes within the string, trim any data after it because it seems to be interpretted as the end of the value attribute.

  2. If my value attribute looks like this in the code: value='__' then if I don't use stripslashes(), I see the slashes in the output, and if I use stripslashes(), it's the same thing with the double quotes, but with any of the escaped single quotes within the string.

Hope this makes sense. I'm fairly tired right now, but with a few replies and questions asked for anyone who doesn't quite understand, I'm sure we can figure this out. :)

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
bitm0de
  • 45
  • 1
  • 7
  • note that you shouldn't use stripslashes at all. if you have extra slashes in output - then you should'n have adding them as well – Your Common Sense Apr 08 '14 at 04:31
  • I don't add them in the first place, that's the output from the escaped value I get from the database, and if I don't use that function, how do you get rid of the slashes? – bitm0de Apr 09 '14 at 20:08
  • That's what I said: **you shouldn't add these slashes in database** – Your Common Sense Apr 09 '14 at 20:14
  • Ok... But here's what I said: "I don't add them in the first place". I don't have slashes in my database, they were displayed when I select from the database for some reason... The only function I was using was real_escape_string on the values inserted. The error was probably a stupid mistake I made with the queried output... It's fixed now though I believe. :) – bitm0de Apr 10 '14 at 23:47
  • Again: anything that is adding extra slashes have to be removed. Be it real_escape_string or anything else. You have to ADD NO SLASHES instead of constantly removing them – Your Common Sense Apr 11 '14 at 04:13
  • You know about SQL injections right? As I have been telling you, the slashes don't exist within my database... Read what I'm saying. I have seen my database, I know what I'm observing. You're trying to tell me different? :S – bitm0de Apr 13 '14 at 02:20
  • Ok, if you aren't using stripslashes anymore, then it's all right. I thought you are still using them – Your Common Sense Apr 13 '14 at 03:20
  • Thanks, no I'm not using that anymore though. – bitm0de Apr 13 '14 at 21:49

1 Answers1

0

If you have to output data into html which might have special characters use htmlspecialchars

<input type="text" value="<?php echo htmlspecialchars('\'"&<>') ?>">

http://codepad.org/DxV3uq0L
http://jsfiddle.net/Uu29D/

Musa
  • 96,336
  • 17
  • 118
  • 137
  • I already figured that a combination of stripslashes() and htmlentities() seems to have done the trick. Could you explain why I would use htmlspecialchars() over htmlentities()? – bitm0de Apr 08 '14 at 03:01
  • I found this link on SO: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars ... Seems htmlentities() is easier to work with for my needs. I will keep in mind htmlspecialchars() for future reference though. I'm not dealing with any special UTF-8 characters though, so htmlentities() *should* be just fine... – bitm0de Apr 08 '14 at 03:06
  • I was just going to write something like that – Musa Apr 08 '14 at 03:08