Double quotes in a form

[DewKnight]

Hello, I'm stumped on this, I've got a form that users input stuff into, it can include single and double quotes. I've got the form then submitted into a mysql database as a text field. The form submits fine with single quotes, but not double quotes. I've tried using htmlspecialchars before it sends to the database but it still doesn't work

So here's kind of how it goes. Submit something like "this"

it previews fine, then submit to database and doesn't seem to turn the quotes into the special characters (it turns the single quotes fine), but it just doesn't have any data after where the first quote should be.

Where it submits into the database is similar to this (changed the variable names, and there are more than one variables):

query="INSERT INTO `table` (`text`) VALUES ('$articleText');";

I do this before inserting into the database:
$articleText=htmlspecialchars($articleText);

I'm just not sure what I'm doing wrong.... Thanks to anybody that can help! Let me know if I need to explain it any better.

[sde]

first i'd advise that you not use htmlspecialchars on inserting data. instead, use it after extracting the data and before you print it to the screen.

as to your problem, what does the query look like when you echo $query;

you should probalby use mysql_real_escape_string() to escape your input as well.

PHP Code:

$sql = "INSERT INTO table (text) VALUES ('".mysql_real_escape_string($articleText)."')";

// print the query to the screen so you can make sure it looks good
echo $sql;

// execute it
mysql_query($sql); 


[DewKnight]

Using that above, the query echo looks like this:
This is a test using \\\'single\\\' and

Cutting off right before the double quote. I'm just going off what little self teaching I've done reading tutorials, so I'm probably inserting it all wrong

[sde]

when you go to this "preview" page.. how are you storing the text that is going to be sent to the query?

[DewKnight]

The form is submitted using post. I just echo the variable from the post into the value in the form. It shows fine there, then if it submitted again, it sends through

Like this:
<textarea cols="35" rows="5" name="articleDetails" id="articleDetails"><?php echo stripslashes($_POST['articleDetails']); ?></textarea>

[sde]

does this code do the same thing for you? submit something like: codenewbie's mascot is named "stan"

PHP Code:

<?php
echo stripslashes($_POST['testvar']);
?>
<hr />
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<textarea name="testvar" id="testvar"><?php echo stripslashes($_POST['testvar']); ?></textarea>
<input type="submit">
</form>

theoretically, then second time you submit that would be imitating what you are doing.

[sde]

also, since you have magic quotes on your server, then you probably gotta do something like this on your insert:

Code:

$sql = "insert into table (field) values ('".mysql_real_escape_string(stripslashes($input))."');";

[DJMaze]

Relying on magic_quotes is bad because when your host finaly turns it off or upgrades to PHP 6 (doesn't have it anymore) you're screwed.

[sde]

Quote:

Originally Posted by DJMaze

Relying on magic_quotes is bad because when your host finaly turns it off or upgrades to PHP 6 (doesn't have it anymore) you're screwed.

i think he means PHP 5.

i still don't see why it would be happening if the full content of the textarea being submitted is the same as it was on the previous page.

[DewKnight]

Quote:

Originally Posted by sde

does this code do the same thing for you? submit something like: codenewbie's mascot is named "stan"

PHP Code:

<?php
echo stripslashes($_POST['testvar']);
?>
<hr />
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<textarea name="testvar" id="testvar"><?php echo stripslashes($_POST['testvar']); ?></textarea>
<input type="submit">
</form>

theoretically, then second time you submit that would be imitating what you are doing.

That did work, so then it's got to be something on the form. I'll go over the form again, make sure I've got it all working right

I can easily turn off magic_quotes. It's a dedicated server, though I would just want to make sure it didn't screw anything else up (I've seen people mention the dangers of it being on)

I also just remembered something on this, small difference, and I don't think it would change anything, but just in case. What it does is actually submit the form for the preview. The preview just displays it all as text, with a hidden field for each item, like this:
<input name="articleText" type="hidden" value="<?php echo stripslashes($_POST['articleText']); ?>" />

If that preview is submitted, then it sends that to the form to insert

[DJMaze]

Quote:

Originally Posted by sde

i think he means PHP 5.

i still don't see why it would be happening if the full content of the textarea being submitted is the same as it was on the previous page.

yes but magic_quotes is bad so his code should run like:

PHP Code:

<?php
// roll-back freakin scary hosts messed data
if (get_magic_quotes_gpc())
{
    $_POST['testvar'] = stripslashes($_POST['testvar']);
}

if ($_POST['preview'])
{
?>
<hr />
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<textarea name="testvar" id="testvar"><?php echo htmlspecialchars($_POST['testvar']); ?></textarea>
<input type="submit">
</form>
<?php
} else {
    mysql_query('INSERT INTO table (text) VALUES (\''.mysql_real_escape_string($articleText).'\')');
//    or
    mysql_query( sprintf('INSERT INTO table (text) VALUES (\'%s\')', mysql_real_escape_string($_POST['testvar'])) );
}

1. never rely on magic_quotes so get rid of it
2. always convert to html entities on output (htmlspecialchars for example)
3. always use the database *sql_(real_)escape_string function

By doing that you have the safest environment or you get big security holes.

There's no danger having magic_quotes on other then programmers relying on it, because when it gets turned off there are loads of security holes popping up.
magic_quotes was designed to overcome the security risks involved with programmers not validating input data so that data was already escaped before some messy security holed script runs it.

I can go in detail but mainly speaking: magic_quotes = on = getting sloppy at coding
Look at your code for example, did you ever consider using mysql_real_escape_string?

[DewKnight]

So as long as I'm using the addslashes, htmlspecialchars, and the sql escape string, then I'm safe to turn off magic_quotes?

I'm looking over my page, still can't find where it's different than the example posted, but it's got to be there somewhere


edit: Ok. It displays the preview text, but something has to be going wrong when it creates that hidden variable, because it does not send it through there.


edit2: and duh. I wasn't doing the htmlspecialchars before I put it into the hidden field, that's why it wasn't working. Well, now I know more. Thanks to you guys for helping me find out what was up.

[sde]

you wouldn't be using addslashes and mysql_real_escape_string together.

htmlentities is for output.. not input.

so basically, turn magic quotes off and use the escape function.

[DewKnight]

Awesome, thanks for the help again. I'll check all of my forms that put stuff into the database, add the mysql_real_escape_string, and also check stuff pulling from the database and add the htmlspecialchars to those, then turn off the magic_quotes. Booyah.