0

I have a simple MySQl CRUD DB managed with simple html forms The input to some fields is literature text which can be quite complex in punctuation and entry is by those who require very precise correct punctuation.

I have an adequate answer (mysqli::real_escape_string) to getting the data in - which seems to cover all the cases I need. I have no problem in retrieving and simply displaying the string totally correctly but cannot find a satisfactory answer to inserting the retrieved value in a text field default value in an update form.

An example of the sort of string I am talking about is

Is this is a quote from Marlowe's Faust !!? & "WHY"

which when set as a default displays as

Is this is a quote from Marlowe's Faust !!? &

OR

Is this is a quote from Marlowe's Faust !!? & WHY"

which displays as

Is this is a quote from Marlowe's Faust !!? & WHY

A problem seems to arise when I have one or more sets of double quotes ( ") in the string.
I could handle that case if i was sure that was the only character that would give me a problem but I wonder if there are some other characters which I havent yet come across.

Additional Information the code snippet

       <h2 style="color:RED"><u>UPDATE INFORMATION FOR RECORD  </u></h2>
  <h2 style="color:RED"><u>UPDATING IS NOW LIVE </u></h2>
  <form action="/update/updater.php?">
    <?php echo  "Retrieved string is - ".$getRow['1'];?>
  <p style="color:RED"><u><b>CHANGE OR ADD TITLE  </b></u></p>
    <label for="Ntitle"></label>
    <input type="text" id=Ntitle" name="Ntitle" value=  "<?php echo   
    $getRow['1'];?>" size="50" >

that results in

UPDATE INFORMATION FOR RECORD - LKDDM:1900.384.03 UPDATING IS NOW LIVE Retrieved string is - Is this is a quote from Marlowe's Faust !!? & "WHY" CHANGE OR ADD TITLE Is this is a quote from Marlowe's Faust !!? &

OR UPDATE INFORMATION FOR RECORD - LKDDM:1900.384.03 UPDATING IS NOW LIVE Retrieved string is - Is this is a quote from Marlowe's Faust !!? & WHY" CHANGE OR ADD TITLE Is this is a quote from Marlowe's Faust !!? & WHY

This is NOT a sanitizing question the data in the data base is fine - and as is require by the user - entry is well safe guarded.

It's this silly little formatting issue which is so frustrating

Heretic Monkey
  • 11,687
  • 7
  • 53
  • 122
Steve U
  • 1
  • 3
  • Use `utf8_encode` when inserting into the db, and `utf8_decode` when displaying values retrieved from db. The db collation should be something like `utf8mb4_unicode_ci`. Furthermore, when you want to display characters that would be interpreted as html by browsers, you can use `htmlspecialchars()` https://www.php.net/manual/en/function.htmlspecialchars.php if you do not use a temlate engine (and work with php). – Hans Spieß May 02 '21 at 14:27
  • Sorry I think the db aspect is almost a red herring but see later. I can retrieve and echo the string perfectly and then I save it into a variable. The issue is simply displaying the string as a default value string. I cannot just use a simple character subsitution in and out of the DB becasue it interfaces with another database which i have no control over – Steve U May 02 '21 at 14:42
  • could you share the exact code where you output the html? – Hans Spieß May 02 '21 at 15:15
  • Never use `real_escape_string`! Use parameter binding – Dharman May 02 '21 at 15:47
  • @HansSpieß Please stop spreading lies. Never use `utf8_encode` and especially not on the data going into the database. – Dharman May 02 '21 at 15:48
  • 1
    Does no one who complains about duplicates read [the help center article](https://stackoverflow.com/help/duplicates) or [the FAQ entry](https://meta.stackoverflow.com/q/252252/215552) on the subject?!! – Heretic Monkey May 02 '21 at 16:56
  • If the value containing double quotes is rendered inside the input, you get markup like ``. The browser interprets the first " inside the string as the double quote closing the value attribute, ignoring everything after until the closing >. To work around this, use `htmlspecialchars()` to output the value: ``. Also, you miss a " after the `id` attribute of the input element. – Hans Spieß May 02 '21 at 17:45
  • @Dharman i did not intend to "spread lies". So, if you feel my advice is dangerous to other readers, explain why, and explain the more appropriate solution in a way others could follow it. – Hans Spieß May 02 '21 at 17:47
  • The answer I provided still looks correct. I don't know what you complain about. The problem as explain by Hans is XSS. You need to format the data when outputting to HTML. Use `htmlspecialchars()` – Dharman May 02 '21 at 17:51
  • Thank you gentlemen - yes indeed the " causes havoc but as I said that is easily dealt with . I was mainly concerned that I may be met with other characters that would cause similar formatting issues since the range of the users punctuation is very wide. But I have kindly been provided with a snippet by a lecturer in linguistics which deals with exactly the problem . I am seeking his approval to post it here and shall close this thread – Steve U May 02 '21 at 20:39

0 Answers0