Hey, I have a form that posts a user's profile information to a php file that then stores it into the database. The user can go back to the edit profile page to edit their profile as many times as they want. However if they have used a " in their profile information, the values within the input boxes don't appear as they should. It's obviously as the " is closing the value = "" section before it should. How would I over come this problem? I was thinking about automatically replacing the " with ' using str_replace() but how would I do that because, str_replace ( """ , "'" , $string) wouldn't work would it... Thanks, Hodge
Apologies for the brief reply, I'm about to go home. addslashes() should do what you need, combined with stripslashes() when you want to remove them
Thanks for your reply void but as magic_quotes_gpc is on on my server doesn't it mean that I don't need to do that?
Try something like this: if (!get_magic_quotes_gpc()) { $yourVariable = addslashes($_POST['yourVariable']); } else { $yourVariable = $_POST['yourVariable']; }
I wouldn't do it that way. You would add a slash for future reference though. str_replace("\"","'",$string); PHP:
A Couple things. strip_slashes() should be ran when retrieving the data from the database. IE $query = mysql_query("select c1 FROM table WHERE ..."); while ($row = mysql_fetch_assoc($query)) { echo strip_slashes($row['c1']); } Also, when inserting the data to protect yourself, always use mysql_real_escape_string() on any type of data that is inserted that is from a global variable IE $_POST && $_GET mysql_query("INSERT INTO table (c1) VALUES ('".mysql_real_escape_string($_POST['posted_value'])."')");
Hey, Basically I can store and show fields correctly as magic_quotes_gpc is on. For example if there was a biography section and you write: Then show it on their profile page, it would work just fine. It's when I use that in a "value = " attribute within a <form> that I get problems because it cuts off the value attribute prematurely. Just to clarify here's an example: .... coding before this section .... // Retrieve Band Profile Info $sql = "SELECT * FROM bands WHERE bandID = '$bandID'"; $result = mysql_query ($sql , $conn); $bandInfo = mysql_fetch_query ($result); $biography = $bandInfo['biography']; // Print Form That Allows Editing of Band Profile print <<<HERE <form action = "saveProfile.php" method = "POST"> <p> Biography: <input type = "text" name = "biography" value = "$biography"> </p> <p> <input type = "submit" value = "Save Profile"> </p> </form> HERE; PHP: When the page is shown to the user, the value within the text input box will read "Our band was started in 2005 when we all met up at a university called " and the end would be cut off because of the premature closing of the value attribute. Hope that clarifies my problem
When the $biography info is first inserted into your db use addslashes, and when you display it use stripslashes. $biography=addslashes($biography); $biography=stripslashes($biography);
Yep! Try replacing (line 8) $biography = $bandInfo['biography']; PHP: With this $biography = str_replace("\"",""",$bandInfo['biography']); PHP: