[RESOLVED] Text Box Help

[syrillia]

My website visitors are using a textbox to add comments to a page. If I use the ' symbol, my php code interprets it as an opening or closing speech mark. How can I get around this so that users can use the ' symbol and still be able to post comments.

Many thanks

Syrillia

[SambaNeko]

Use addslashes(). It escapes special characters such as the single quote so you can use the string in your code. Try this for an example:

Code:

<?php 
echo addslashes($_POST["myText"]);
?>
<form method="POST">
<textarea name="myText">That's all, folks.</textarea>
<input type="submit"/>
</form>

[kows]

Er. Quotes don't harm <textarea> in the first place, and slashes definitely do not escape ANYTHING that has to do with HTML. as long as your string is held within a variable, it doesn't need to have slashes added to it to be used in your code; PHP does all of that kind of stuff for you. and addslashes() is bad, anyway. don't use it.

even still, the question in general doesn't make much sense. I don't know what you mean when you say your PHP code is interpretting it as an opening or closing "speech mark." perhaps you could post some of your code so that I may get a better understanding of what you're trying to do.

the only thing I could even think of was if you're using an <input> and the user comments are breaking it somehow. for this, normally you could utilize htmlentities(). however, if you're having a single quote break your <input>, this won't help. using single quotes to define attributes within HTML tags is bad practice (and this could be one of the reasons why!). just switch to using double quotes with htmlentities().

PHP Code:

<?php
  $var = "test ' test!";
  $var = htmlentities($var);
?>
<input type="text" value="<?php echo $var; ?>" />

judging from your question, my solution was not what you were looking for, but I thought I'd throw it out there just in case. please be a little more clear, and posting example code is always helpful.

[SambaNeko]

I had the same general confusion about the purpose of the question, so the answer might not be appropriate, no. Why do you say addslashes() is bad though?

[kows]

well, addslashes() would still not help even in the least in the example you made ;)

anyway, addslashes() basically mimics the functionality of magic_quotes_gpc, a feature that has been since deprecated in PHP5. the only time you should need to "add slashes" to anything is for entry into a database, and you should be using the proper database escaping function (mysql_real_escape_string(), for example), or prepared statements. I'll quote penagate here:

Rule of thumb: If you're using addslashes and stripslashes, you probably shouldn't be.

[SambaNeko]

well, addslashes() would still not help even in the least in the example you made

Yes yes, that was rather implicitly clear from your previous post. I don't even use addslashes() regularly myself, no; call it a random guess 'cause I have no idea what the OP's real issue is.

[Nightwalker83]

My website visitors are using a textbox to add comments to a page. If I use the ' symbol, my php code interprets it as an opening or closing speech mark. How can I get around this so that users can use the ' symbol and still be able to post comments.

Many thanks

Syrillia

Are you storing the comments, etc in a database? If so this is the code I use:

PHP Code:

<?php 
if (($_POST[name] == "") AND ($_POST[email] == "") AND 
($_POST[comments] == "")){ 
$error1 = "<font face='verdana' color='Red' 
size='2'><STRONG>It appears as  if you've tried to submit a 
blank form:</STRONG><br><br>"; 
echo "$error1"; 
} 
else 
{ 
//connect 
$mysql_link = mysql_connect( "localhost", "user", "") 
or die( "Unable to connect to SQL server"); 
mysql_select_db( "feedback", $mysql_link) or die( "Unable to 
select database"); 
$insert = "INSERT INTO guestbook VALUES('', '$_POST[name]', 
'$_POST[email]', '$_POST[comment]')"; 
if ($mysql_insert = mysql_query($insert, $mysql_link)) { 
echo "Record Added"; 
} 
else { 
echo $mysql_insert; 
} 
} 
?>

Here is the html:

HTML Code:

<html>

<head>
<title>Guestbook</title>
</head>

<body>

<form method="POST" action="guestbook.php">

  <br>
  <p>Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="name" size="20"></p>
  <p>Email:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="email" size="40"></p>
  <p>Message:&nbsp;&nbsp;&nbsp; <textarea rows="4" name="comment" cols="20"></textarea></p>
  <p><input type="submit" value="Add" name="action"></p>
</form>

</body>

</html>

You that code I can submit the ' character as well as most others.

[kows]

it's evident with the code you posted that the server you're using has magic_quotes_gpc on (otherwise, no, the code you posted would not run if you had a single quote in either of those fields). like mentioned earlier, this is a deprecated feature and isn't something you should be [implicitly] supporting. you should use a recursive function that strips those slashes from the super globals, and then prepare them for the database (via the mysql_real_escape_string() function or a prepared statement using mysqli or pdo) yourself later on.

whichever way you decide to prepare the statements, you should try to avoid making posts that do not emphasise how easy it is to build a website that can be vulnerable to SQL injection.

oh, and as always, try not be echoing HTML! PHP is an embedded language (meaning it should be embedded within HTML, and not used to output HTML), and thus, should be treated as though it is one.

I feel so anal-retentive.

[SambaNeko]

I feel so anal-retentive.

Tis what scripting forums are for, you know. :Þ

[syrillia]

Thanks. You guys are more helpful than the people at DreamInCode.