Stripslahes function not working, value missing text after strings contating " ' " in them

Question

So as the titles says, any strings which contain ' in them are not showing up properly in the website page itself. Anything after the ' is blank but anything before the ' is shown. But if I go to the database and view the information there, the word shows perfectly.

When I am putting the string values into the database, I use mysqli_real_escape_string before inserting them. And I have an option on the website to update these values by bringing them back and putting them into a text box but that is where anything after ' is blank.

Exampe: O' Rourke -> Would come back as: O

All code below. Deals with customers.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">

    <title>MindFactory - Performance For Less</title>

    <link rel="stylesheet" type="text/css" href="global.css">

</head>

<body id = "container">

<!-- --------------------------- Creating The Menu Bar ----------------------------------- -->

    <ul class = "menuBar">
        <li><a href="index.php">Home</a></li>
        <li><a class = "active" href="customer.php">Customer</a></li>
        <li><a href="sales.php">Sales</a></li>
        <li><a href="http://www.example.com">User: Administrator</a></li>
    </ul>

    <div class = "products">

    <!-- -------------------------- HEADING --------------------- -->

        <h1>Register a Customer</h1>

        <div id = "inputFormat">

            <form method="post" action="customer.php">
                <label>Email: *
                    <input type="text" name="email" placeholder="Enter Email" />
                </label><br>

                <label>First Name: *
                    <input type="text" name="forename" placeholder="Enter First Name" />
                </label><br>

                <label>Last Name: *
                    <input type="text" name="surname" placeholder="Enter Last Name" />
                </label><br>

                <label>Address: *
                    <input type="text" name="address" placeholder="Enter Address" />
                </label><br>

                <input type="submit" name="register" value="Register Customer" />
            </form><br><hr>

        </div>

<?php

// -------------------------------------- WHEN A NEW CUSTOMER IS BEING REGISTERED, DO THIS -----------------------------
if(isset($_POST['register'])){
    $forename = $_POST['forename'];
    $surname = $_POST['surname'];
    $address = $_POST['address'];
    $email = $_POST['email'];

    if($forename == "" OR $surname == "" OR $address == "" OR $email == "") {
        echo("You Did Not Enter All Details<br><br>");
    }
    else {
        include 'connection.php';

        $forenameEsc = mysqli_real_escape_string($connection,$forename);
        $surnameEsc = mysqli_real_escape_string($connection,$surname);
        $addressEsc = mysqli_real_escape_string($connection,$address);
        $emailEsc = mysqli_real_escape_string($connection,$email);

        $sql = "INSERT INTO customer(email,forename,surname,address) VALUES('$emailEsc','$forenameEsc','$surnameEsc','$addressEsc')";

        $result = mysqli_query($connection,$sql);

        if($result == 0) {
            echo("<p>Error Registering: ". mysqli_error($connection) . "</p>");
        }
        else {
            echo("<br><strong>Success</strong>. User: " . $forename . " " . $surname . " Has Been Registered");
        }
    }
}

// ---------------------------------------- WHEN NO CUSTOMER HAS BEEN CHOSEN TO UPDATE ------------------------------

if(!isset($_POST['update']) AND !isset($_POST['delete'])) {

include 'connection.php';

$statement = "SELECT * FROM customer";

$result = mysqli_query($connection, $statement);

if(!$result) {
echo "Query One Failed";
exit();
}
else {
if(mysqli_num_rows($result) < 1) {
echo "No Users Created";
}
else {
    echo "<h1>Update or Delete a Customer</h1>";

    echo "<table border=1>";
    echo "<tr><th>Customer ID</th><th>Email</th><th>First Name</th><th>Second Name</th><th>Address</th><th>Update</th><th>Delete</th></tr>";
    while ($row = mysqli_fetch_array($result)) {
        $custID = $row['custID'];
    echo ("<tr><td>");
            echo $custID;
            echo("</td><td>");
            echo $row['email'];
            echo("</td><td>");
            echo $row['forename'];
            echo("</td><td>");
            echo $row['surname'];
            echo("</td><td>");
            echo $row['address'];
            echo("</td><td>");
            echo("<form method='post' action='customer.php'><input type='hidden' name='custID' value='$custID'/><input type='submit' name='update' value='Update This User' /></form>");
            echo("</td><td>");
            echo("<form method='post' action='customer.php'><input type='hidden' name='custID' value='$custID'/><input type='submit' name='delete' value='Delete This User' /></form>");
            echo("</td></tr>");
    }
    echo "</table>";
    }
}
mysqli_free_result($result);
mysqli_close($connection);

}

// ---------------------------------------- WHEN USER TO UPDATE IS CHOSEN, DISPLAY THIS ------------------------------

if(isset($_POST['update'])) {
$custID = (int) $_POST['custID'];

include 'connection.php';

$statement = "SELECT * FROM customer WHERE custID = $custID";

$result = mysqli_query($connection,$statement);

if(!$result) {
echo "Query Failed";
exit();
}

else {
$row = mysqli_fetch_array($result);
$firstName = $row['forename'];
$lastName = $row['surname'];
$address = $row['address'];

$sFirstName = stripslashes($firstName);
$sLastName = stripslashes($lastName);
$sAddress = stripslashes($address);

echo ("
<form method='post' action = 'customer.php'>
    <label>New Forename: <br>
        <input type='text' name='ud_forename' value='$sFirstName' />
    </label><br>

    <label>New Surname: <br>
        <input type='text' name='ud_surname' value='$sLastName' />
    </label><br>

    <label>New Address: <br>
        <input type='text' name='ud_address' value='$sAddress' />
    </label><br><br>

    <input type='hidden' name='userToUpdate' value='$custID' />

    <input type='submit' name='user_update' value='Confirm Changes' />
</form>");

}
mysqli_free_result($result);
mysqli_close($connection);
}

// ------------------------------ WHEN USER ENTERS THE NEW VALUES, DO THIS ----------------------------------
if(isset($_POST['user_update'])) {
    include 'connection.php';

    $updatedForename = $_POST['ud_forename'];
    $updatedSurname = $_POST['ud_surname'];
    $updatedAddress = $_POST['ud_address'];
    $userToUpdate = (int) $_POST['userToUpdate'];

    if($updatedForename == '' OR $updatedSurname == '' OR $updatedAddress == '') {
        echo "<br>Missing Information. Please Try Again";
        exit();
    }

    $updatedForenameEsc = mysqli_real_escape_string($connection,$updatedForename);
    $updatedSurnameEsc = mysqli_real_escape_string($connection,$updatedSurname);
    $updatedAddressEsc = mysqli_real_escape_string($connection,$updatedAddress);

    $statement = "UPDATE customer SET forename = '$updatedForenameEsc', surname = '$updatedSurnameEsc', address = '$updatedAddressEsc' WHERE custID = $userToUpdate";

    $result = mysqli_query($connection,$statement);

    if(!$result) {
        echo "Query Failed";
        exit();
    }

    else {
        if(mysqli_affected_rows($connection) < 1) {
            echo "No Updates Made";
        }
        else {
            echo ("<br>Customer ID Number: " . $userToUpdate . " Updated");
            mysqli_close($connection);
        }
    }
}

// ---------------------------------- WHEN A CUSTOMER IS CHOSEN TO DELETE --------------------------------------

if(isset($_POST['delete'])) {
    include 'connection.php';

    $userToDelete = (int) $_POST['custID'];

    $statement = "DELETE FROM customer WHERE custID = $userToDelete";

    $result = mysqli_query($connection,$statement);

    if(!$result) {
        echo "Query Failed - " . mysqli_error($connection);
        echo "<br><br><strong>Error: </strong>Customer Exists In A Sale";
        exit();
    }

    else {
        if(mysqli_affected_rows($connection) < 1) {
            echo "No Deletion Made";
        }
        else {
            echo ("<br>Customer ID Number: " . $userToDelete . " Deleted");
            mysqli_close($connection);
        }
    }
}

?>

    </div>

</body>
</html>

http://php.net/manual/en/function.htmlentities.php with `ENT_QUOTES` — AbraCadaver, Dec 12 '16 at 18:56
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Dec 12 '16 at 19:03

score 1 · Accepted Answer · answered Dec 12 '16 at 18:57

1

Either use double quotes or htmlentities(), with ENT_QUOTES flag, when echoing your value in the <input/> field. Your <input/> fields are literally coming out like:

<input type='text' name='ud_surname' value='O'Rourke' />

answered Dec 12 '16 at 18:57

Daerik

4,167
2
20
33

That makes so much sense thanks! How would I go about echoing it so? Because everything is inside the echo " " ..... – alanphil Dec 12 '16 at 19:12
All sorted! I just added \"$sFirstname\" and same to the other variables! – alanphil Dec 12 '16 at 19:15

Stripslahes function not working, value missing text after strings contating " ' " in them

1 Answers1