Separating HTML causes a problem when string has " " in it

  • (2 Pages)
  • +
  • 1
  • 2

27 Replies - 3684 Views - Last Post: 08 June 2011 - 01:12 PM Rate Topic: -----

#1 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 02:46 PM

Ok so here's the deal.

A user can fill out a box and submit it into the database. I use PDO so I don't really have to worry about SQL injection, thus I don't have to do any escaping characters or what not.

Here's the problem though, say in the text box the user enters the string:
I think I'm "cool".

PDO will insert that into the database as: I think I\'m \"cool\".

Now when the user submits this, I have the text go to another page and be displayed. Naturally, i don't want the \'s in it so I do a str_replace of \'s with "" before displaying. No problem. But here I have a problem when I want to enter it into my HTML using code separation:

{{COUNT}}: <input type="text" maxlength="500" name="{{BOX_NAME}}" value="{{BOX_VALUE}}" /><br />



We don't have to worry about {{BOX_NAME}} because my program generates that. {{BOX_VALUE}} on the other hand is what the user inputs, in our case: I think I'm "cool". So it looks like this:

value="I think I'm " <--and then it thinks that's the end.

Problem is, once it gets to this HTML page, it's already been processed by PHP, we're done modifying the string. I could add \'s before sending it to the HTML, but then there's no way to get it out once we're there. So this is a bit of a dilemma here. How can I make the value field except I think I'm "cool" without closing at the " before the c?

And of course, I could use value='...'. But then we'd encounter the same problem is the string had a ' in it (which is much more likely).


Here's where my code is going:
// get all the achievements for editing
$myoptions =file_get_contents("editAchievsListForm.html");
$achiev_count = 1;
for($j = 0; $j < $numberAchievs; ++$j)
{
	$boxName = "box0" .$achiev_count;
	
	$tags = array("{{COUNT}}", "{{BOX_NAME}}", "{{BOX_VALUE}}");
	$replacements  = array($achiev_count, $boxName, ${box.$j});
	$editAchievs .= str_replace($tags, $replacements, $myoptions);
	++$achiev_count;
}



And this is editAchievListForm.html, what I posted above:
{{COUNT}}: <input type="text" maxlength="500" name="{{BOX_NAME}}" value="{{BOX_VALUE}}" /><br />



Thanks for the help!

This post has been edited by eZACKe: 07 June 2011 - 03:09 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Separating HTML causes a problem when string has " " in it

#2 ahmad_511  Icon User is offline

  • MSX
  • member icon

Reputation: 131
  • View blog
  • Posts: 722
  • Joined: 28-April 07

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 04:27 PM

Hi,
what if you replace the (\') with (')
this will prevent replacing the preceding (\) and double quote will be escaped inside the string
the result may look something like:
value="I think I'm \"cool\""


Was This Post Helpful? 0
  • +
  • -

#3 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 04:29 PM

Are you using quote instead of prepare?
http://php.net/manual/en/pdo.quote.php
Was This Post Helpful? 0
  • +
  • -

#4 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 04:46 PM

View PostCTphpnwb, on 07 June 2011 - 09:29 PM, said:

Are you using quote instead of prepare?
http://php.net/manual/en/pdo.quote.php


No I'm using prepare, for example:
$query = "INSERT INTO `achievements` (email, achievement, dateEntered) values(:email, :newBox, NOW())";
	$result = $pdo->prepare($query);
	$params = array(
	'email' => $email_token,
	'newBox' => $new_box1
	);
	$result->execute($params);



I didn't even know of quote until you just mentioned it.
Was This Post Helpful? 0
  • +
  • -

#5 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 04:57 PM

Is there a way PDO can put something into the database without adding (\)'s?

Either way, that's not really the problem. The problem is I can't insert text that has quotes in in into HTML as just HTML because it thinks the quotes are closing the statement.

EDIT: This is the only solution I've been able to find, and I'm hopefully calling it a TEMPORARY solution until I find something better because I don't like how it looks:

$myoptions =file_get_contents("editAchievsListForm.html");
$achiev_count = 1;
for($j = 0; $j < $numberAchievs; ++$j)
{
	//echo "$count: <input type='text' maxlength='$max' name='box0$count' value=\"${box.$j}\" /><br />";
	echo $numberAchievs . "############";
	$boxName = "box0" .$achiev_count;
	
	$tags = array("{{COUNT}}", "{{BOX_NAME}}", "{{BOX_VALUE}}");
	${box.$j} = str_replace("\"", "&quot", ${box.$j});
	$replacements  = array($achiev_count, $boxName, ${box.$j});
	$editAchievs .= str_replace($tags, $replacements, $myoptions);
	++$achiev_count;
}



I replace any quotes in the text supplied to the user with &quot. Doing this, my displayed text ends up looking like this:
I think I'm &quotcool"

Not exactly what I'd like, but it does work. Any better solutions?

This post has been edited by eZACKe: 07 June 2011 - 06:18 PM

Was This Post Helpful? 0
  • +
  • -

#6 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 07:20 PM

This doesn't put quotes in my system:
<?php
require("connection.php");

$add_statement = "INSERT INTO testing (testfield) VALUES (?)";
$atest = new PDO($dsn, $username, $password);
$ins = $atest->prepare($add_statement);

$arr = array('The "quick" brown fox jumped over the "laziest" dog.');
$ins->execute($arr);
echo "done.";

?>

I think your query is the problem. Notice how I have a question mark where the data will go when the query is executed.
Was This Post Helpful? 0
  • +
  • -

#7 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 08:39 PM

My solution was to use a textarea instead of a textbox. I just formatted the textarea so that it looks like a textbox. For what I'm creating, it really doesn't matter.

How did this fix it? Here's how:
{{COUNT}}: <textarea type='text' maxlength="255" name='{{SKILLBOX_NAME}}' >{{SKILLBOX_VALUE}}</textarea><br />



Now it doesn't matter what {{SKILLBOX_VALUE}} is, nothing will "break" it.

May just be a means of running away from my problem, but I think this solution is pretty good :bigsmile:

This post has been edited by eZACKe: 07 June 2011 - 08:40 PM

Was This Post Helpful? 0
  • +
  • -

#8 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 09:04 PM

View PostCTphpnwb, on 08 June 2011 - 12:20 AM, said:

This doesn't put quotes in my system:
<?php
require("connection.php");

$add_statement = "INSERT INTO testing (testfield) VALUES (?)";
$atest = new PDO($dsn, $username, $password);
$ins = $atest->prepare($add_statement);

$arr = array('The "quick" brown fox jumped over the "laziest" dog.');
$ins->execute($arr);
echo "done.";

?>

I think your query is the problem. Notice how I have a question mark where the data will go when the query is executed.


The only difference between what you've done and what I've done that I can see is you used positional placeholders and I used named placeholders.

I couldn't imagine that one inserts into a database differently from the other, but maybe they do?
Was This Post Helpful? 0
  • +
  • -

#9 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3392
  • View blog
  • Posts: 9,586
  • Joined: 08-June 10

Re: Separating HTML causes a problem when string has " " in it

Posted 07 June 2011 - 10:19 PM

View PosteZACKe, on 08 June 2011 - 05:39 AM, said:

My solution was to use a textarea instead of a textbox. I just formatted the textarea so that it looks like a textbox. For what I'm creating, it really doesn't matter.

this sounds more like the slashes are added by PHP while retrieving the data, rather than a PDO issue (I donít see why PDO should add slashes at all). check for the setting of magic_quotes_gpc (should be off) in php.ini.
Was This Post Helpful? 2
  • +
  • -

#10 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 06:21 AM

View PostDormilich, on 08 June 2011 - 03:19 AM, said:

View PosteZACKe, on 08 June 2011 - 05:39 AM, said:

My solution was to use a textarea instead of a textbox. I just formatted the textarea so that it looks like a textbox. For what I'm creating, it really doesn't matter.

this sounds more like the slashes are added by PHP while retrieving the data, rather than a PDO issue (I don’t see why PDO should add slashes at all). check for the setting of magic_quotes_gpc (should be off) in php.ini.


In my php.ini:
; Production Value: Off
; http://php.net/magic-quotes-gpc
magic_quotes_gpc = Off

It appears to me it is PDO adding it. Whenever anything gets added to the database from a PDO query, it always has slashes in it if it has characters that need to be escaped (like (')).


Perhaps a MySQL setting? Anything I should check?

This post has been edited by eZACKe: 08 June 2011 - 06:33 AM

Was This Post Helpful? 0
  • +
  • -

#11 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 06:34 AM

Let's see all of your code.
Was This Post Helpful? 0
  • +
  • -

#12 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 06:45 AM

Ok here's every line of code that has to do with a user entering a state:

In my edit.php page:
include_once("new_main.php");
include_once("resumeValues.php");// contains value of $state


/ The edit page
$editData = array('{{STREET}}' => $street, '{{CITY}}' => $city, '{{STATE}}' => $state, '{{ZIP}}' => $zip, 
					'{{PHONE}}' => $phone, '{{OBJECTIVE}}' => $objective, '{{EDIT_ACHIEVS}}' => $editAchievs, '{{THE_COUNT}}' => $achiev_count, 
					'{{THE_COUNTP1}}' => $count_plus1, '{{THE_COUNTP2}}' => $count_plus2, '{{EDIT_SKILLS}}' => $editSkills, 
					'{{THE_SKILLCOUNT}}' => $skill_count, '{{THE_SKILLCOUNTP1}}' => $skillcount_plus1, '{{THE_SKILLCOUNTP2}}' => $skillcount_plus2, 
					'{{THE_SKILLCOUNTP3}}' => $skillcount_plus3, '{{THE_SKILLCOUNTP4}}' => $skillcount_plus4);
$edit = createPage('editResume.tpl', 'AppleLearning', $editData);

echo $edit;




The html form that actually shows it:
<div id="editbody">
		<fieldset>
			<legend>Edit Your Resume</legend>
			<div>
			<p>Personal Information</p>
			<div id="personalsection">
				<form method='post' action='checkCurrent.php'>
					<span class="pdata">Street Address</span>	<textarea class ="formStreet" type='text' maxlength="50" name='street' >{{STREET}}</textarea><br />
<span class="pdata">City</span>	<textarea class ="formCity" type='text' maxlength="50" name='city' >{{CITY}}</textarea><br />
					<span class="pdata">State</span>	<textarea class ="formState" type='text' maxlength="50" name='state' >{{STATE}}</textarea><br />
					<span class="pdata">Zip</span>	<textarea class ="formZip" type='text' maxlength="9" name='zip' >{{ZIP}}</textarea><br />
					<span class="pdata">Phone Number</span>	<textarea class ="formPhone" type='text' maxlength="15" name='phone' >{{PHONE}}</textarea><br />
					<input class="personalSaveButton" type='submit'  value='SAVE' />
				</form>



When you submit this form, checkCurrent.php is called, this updates values if they have been changed or if the user adds new ones:

<?php
include_once("new_main.php");
include_once("appleFunctions.php");

// personal section values
$new_street = $_POST['street'];
$new_city = $_POST['city'];
$new_state = $_POST['state'];
$new_zip = $_POST['zip'];
$new_phone = $_POST['phone'];


$sql = "SELECT count(*) FROM `resume` WHERE `email` = :email"; 
$result = $pdo->prepare($sql); 
$params = array(
'email' => $email_token
);
$result->execute($params); 
$number_of_rows = $result->fetchColumn();


if($number_of_rows)
{
	$query = "SELECT streetAddress, city, state, zip, phone FROM `resume` WHERE email = :email";
	$result = $pdo->prepare($query); 
	$result->execute($params); 
	$result->bindColumn('streetAddress', $street);
	$result->bindColumn('city', $city);
	$result->bindColumn('state', $state);
	$result->bindColumn('zip', $zip);
	$result->bindColumn('phone', $phone);
	$result->fetch(PDO::FETCH_BOUND);
}
else
{
	$street = "";
	$city = "";
	$state = "";
	$zip = "";
	$phone = "";
}

if($number_of_rows)
{
	if($new_street != $street)
	{
		$query = "UPDATE `resume` set streetAddress = :new_street WHERE email = :email";
		$result = $pdo->prepare($query);
		$params = array(
		'new_street' => $new_street,
		'email' => $email_token
		);
		$result->execute($params); 
	}

	if($new_city!= $city)
	{
		$query = "UPDATE `resume` set city = :new_city WHERE email = :email";
		$result = $pdo->prepare($query);
		$params = array(
		'new_city' => $new_city,
		'email' => $email_token
		);
		$result->execute($params); 
	}

	if($new_state != $state)
	{
		$query = "UPDATE `resume` set state = :new_state WHERE email = :email";
		$result = $pdo->prepare($query);
		$params = array(
		'new_state' => $new_state,
		'email' => $email_token
		);
		$result->execute($params); 
	}



And later on, if the user entered hadn't already added one:
else 
{
	$query = "INSERT INTO `resume` VALUES(:email, :new_street, :new_city, :new_state, :new_zip, :new_phone)";
	$result = $pdo->prepare($query);
	$params = array(
	'new_street' => $new_street,
	'new_city' => $new_city,
	'new_state' => $new_state,
	'new_zip' => $new_zip,
	'new_phone' => $new_phone,
	'email' => $email_token
	);
	$result->execute($params);
	
}



So the order of how things work:
edit.php displays the page, getting the values from resumeValues.php. When the form submits, it calls checkCureent.php which updates the values. This sends control back to edit.php once it is done, and resumeValues gets the new data, and continue...


Yet right now when I enter I'm here in the state box, this is what is shown in the database:
I\'m here


EDIT: Oh, and here's resumeValues.php:
// personal section values	
$sql = "SELECT count(*) FROM `resume` WHERE `email` = :email"; 
$result = $pdo->prepare($sql); 
$params = array(
'email' => $email_token
);
$result->execute($params); 
$number_of_rows = $result->fetchColumn();

if($number_of_rows)
{
	$query = "SELECT streetAddress, city, state, zip, phone FROM `resume` WHERE email = :email";
	$result = $pdo->prepare($query); 
	$result->execute($params); 
	$result->bindColumn('streetAddress', $street);
	$result->bindColumn('city', $city);
	$result->bindColumn('state', $state);
	$result->bindColumn('zip', $zip);
	$result->bindColumn('phone', $phone);
	$result->fetch(PDO::FETCH_BOUND);
	
	$street = str_replace("\\", "", $street);
	$city = str_replace("\\", "", $city);
	$state = str_replace("\\", "", $state);
	$zip = str_replace("\\", "", $zip);
	$phone = str_replace("\\", "", $phone);
}
else
{
	$street = "";
	$city = "";
	$state = "";
	$zip = "";
	$phone = "";
}


This post has been edited by eZACKe: 08 June 2011 - 06:47 AM

Was This Post Helpful? 0
  • +
  • -

#13 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 06:50 AM

Where does edit.php get the values for variables like $street, $city, and $state? Where are they set?
Was This Post Helpful? 0
  • +
  • -

#14 eZACKe  Icon User is offline

  • Garbage Collector

Reputation: 120
  • View blog
  • Posts: 1,278
  • Joined: 01-June 09

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 06:57 AM

resumeValues.php, I added it in at the end.
Was This Post Helpful? 0
  • +
  • -

#15 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: Separating HTML causes a problem when string has " " in it

Posted 08 June 2011 - 07:28 AM

The only place I see you setting a value there is lines 30-34, which set them to null strings.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2