If I were to store the following quote into a variable named $dog, how could I get this variable to print with both double and single quotes? The value of $dog would come from a mySQL database so I wouldn't be hardcoding the variable in the script.

He said, "Don't touch my dog's bone!"

<?php
echo"<input type=text name=doggy size=75 value='".$dog."'>";
?>

I tried messing with backslashes and forward slashes but didn't have any luck.

Single quotes cannot contain embedded variables. So you can't include it in either. Also, using echo to generate HTML is bad, you should do it liek this:

?>
<input type="text" name="doggy" size="75" value="<?php echo($dog)?>" />

You can't have both types of quotes in an input text, because there isn't any way to escape quotes in HTML. One thing you could do, if you really needed it, is use a <textarea> and style it to look like an input box. Not the best idea, but it would work. I used the code below to do so to show you:
<textarea style="height: 22px; overflow: hidden;" cols=52>\" '' "\ \\</textarea>
The only real problem is that if your user types more than the 52 characters, the text will not continue scrolling because of the overflow: hidden;, and if you don't use that then it will produce an ugly scrollbar. There is no maxlength attribute to prevent this, either. However, you can use JavaScript or a custom written behaviour file to mimic the maxlength attribute, you can read about it here (http://www.experts-exchange.com/Web/Web_Languages/HTML/Q_20781420.html).

I admit that I am new to PHP and I will likely learn later that my code structure is sloppy but that's only something I can learn through experience. When I first started my project I was trying to redirect using the header function but I found that it won't work if I output a single piece of HTML code before the redirect. So someone on this forum recommended that I print all HTML through echos. So I rewrote my entire code to do so and it's been humming with precision ever since. So I imagine there might be something less desirable about echoing HTML, but it hasn't reared its ugly head yet. Would you mind expanding on this?

Also, this PHP application is sort of like a forum except that it's not conversation based, but people do post entries in it, and I can't predict if they will post single or double quotes. Considering that I'm able to use both quote types in a vbforums post, I image there must be a way to get around this problem.

Okay I think I have a solution here. I looked at the source code on this topic, and it uses some &quot; command. So tell me if I got this right....When a user writes a post to my application, I will replace all double quotes with &quot;.

So this HTML should print out correctly
<input type=text name=doggy size=75 value="He said, &quot;Don't touch my dog's bone!&quot;">

You can escape quotes in HTML. PHP has a function to do that htmlspecialchars()

" = &quot;
& = &amp;
' = &apos;

Don't forget to quote attributes in HTML ;)

Hmm, okay. I really should find a list of all those HTML & codes. Thanks. BTW, you never mentioned why it's bad to echo HTML in PHP.

&apos; doesn't work in HTML, it's an XML sequence. IE won't interpret it. Use ' instead.

So someone on this forum recommended that I print all HTML through echos. So I rewrote my entire code to do so and it's been humming with precision ever since. So I imagine there might be something less desirable about echoing HTML, but it hasn't reared its ugly head yet. Would you mind expanding on this?
Whoever told you that should be shot. Have a read of this:

http://www.vbforums.com/showpost.php?p=2440249&postcount=7

The reason you cannot send a header after you have written data, is because it is a header. It should come before everything else. As soon as you send HTML or any other kind of output, the headers are flushed.

The best way around this is to write your scripts properly. Tehre is no reason why a small script cannot use the MVC (model-view-controller) design pattern, all be it, slightly cut down and you do not need to be an experienced coder.

Simply split your scritps into two parts:

Database / File (view) <--------> (Part 1 - controller) Input Processing and Data Processing
- do all processing and load any data to be displayed into array
- DO NOT produce any output here

(Part 2 - view) This is where you send your headers
(before HTML output) and finally output your HMTL.
- use only simply display logic here and loops

Using this method you can keep all your output separate and if need be change the output to say WML, Javascript or even plain text. It also allows you to inependently maintain the controller that accesses the database.

Its an easy pattern to follow and the small, extra investment in time more than pays for itself.

Th other very crude method you could use it simply open an output buffer at the beginning of your script. This causes all output to be stored and only flushed at the end of the script. I don't recommend this because it encourages poorly wirrten scripts:

<?php ob_start() ?>


If you use echo to produce HTML output you are shooting yourself in the foot. It makes your scripts harder to maintain, hard to read, un scalable, in-flexible and it makes the person who wrote them look incompetent.

I agree with everything except the single quotes for attribute values. Why not? I've never seen any UA that has problems.

&apos; doesn't work in HTML, it's an XML sequence. IE won't interpret it. Use ' instead.
I've been using XHTML so long I've fogotton what HTML is :D . You don't need to escape ' anyway. I don't even think escaping " is necessary in XML outside attribute values.

Both true. Escaping > isn't necessary anywhere either. It's just usually done for consistency with escaping <, which is necessary.

Hmm, okay. I really should find a list of all those HTML & codes. Thanks. BTW, you never mentioned why it's bad to echo HTML in PHP.
Give me some time to write. I am a slow typer :D

If you use echo to produce HTML output you are shooting yourself in the foot. It makes your scripts harder to maintain, hard to read, un scalable, in-flexible and it makes the person who wrote them look incompetent.

Hey I resent that last sentence! :eek: (j/k). You're lucky that you are catching me while I'm still young and malleable.

I'm going to mark this complete now. Thanks guys.

Hey I resent that last sentence! :eek: (j/k). You're lucky that you are catching me while I'm still young and malleable.

I'm going to mark this complete now. Thanks guys.
None of my comments are personal. But I can direct them at you upon special request and upon transfer of $100 to my paypal account :lol:

I've been using XHTML so long I've fogotton what HTML is :D . You don't need to escape ' anyway. I don't even think escaping " is necessary in XML outside attribute values.
Yes, within attribute value strings you only need to escape the quotes that you use to enclose the string.

Those are exactly the words I was looking for when I made this post, I simply couldn't find them at the time. I knew it could be done because my original quote obviously had both. I feel lucky that I naturally use single quotes in all my PHP and double in all my HTML.

So would it be best to use a replace function for getting or putting any data in mySQL, or should I use the htmlspecialchars()?

MySQL? For putting data into MySQL, use parametrized queries (mysqli, PDO or PEAR::MDB2).

For getting it out, use straight, simple strings.

The question is not about the DB, it's about printing it for the user. The answer is, IMO, to use htmlspecialchars.

Alright, so I've been adjusting my code to use htmlspecialchars() but I've run into a similar problem now.

So I have this mySQL statement in PHP
$query='UPDATE table SET field="'.$phrase.'";The problem is $phrase may contain double/single quotes. This is the same problem I had before while trying to print mixed quotes to HTML. Now I'm having this problem submitting the data to mySQL. I looked for a mysqlspecialchars() and similar variants but found nothing.

It seems familiar to me, from reading, that there is some way to escape special characters with mySQL.

mysql_escape_string() (http://www.php.net/mysql_escape_string)

If you are using PHP 5 or have PEAR enabled on your server, read post #18.

$query= 'UPDATE table SET field="' . mysql_real_escape_string($phrase) . '"';

I also apologize for stating before that you couldn't escape HTML characters, I have no idea where my head was at that moment @_@ I was thinking of escaping with slashes, rather than encoding HTML entities.

Yes I am using PHP5 and I don't know if I have PEAR enabled. I don't know what post 18 means parametrized queries (mysqli, PDO or PEAR::MDB2) So I did a quick search on mysqli and it was saying something about compiling PHP to use those extensions. Honestly that sounds like another headache and ten more posts with questions. Can I simply use mysql_escape_string() instead?

Of course you can. But using mysqli or PDO is the better option as you don't have to worry about escaping the values you insert into your procedures.

You guys are awesome. Thanks.