Its a scenario of message and the reply post for articles and the posted messages are stored in the database.
This message as a parameter is passed to the script (lets call is 'insert.php') doing this insertion is called from the js function onclick of the submit.
Inside this 'insert.php', before inserting into the database there is just a mysql_real_escape_string() on that message string passed to it. It replaces the comma with the backslash & comma.And the same is assigned to the hidden variable in the form in the "insert.php" the target of it is the ref i.e. original script which calls for this script through js function , having the html input elements, to display back as message inserted by the user, say part of the "Thank you" message. But the problem comes now.Inside this, thank you message only the part of the inserted string upto the backslash (which was introduced by the mysql_real_escape_string with the comma)is displayed.

This is been verified that the string (which is a test string containing comma) is passed as a whole to the "insert.php".So no issues while passing to it, I doubt theres something wrong while assigning the message string inside the "insert.php" to the hidden element.
For example, the passed string is stored in the $msg variable and then escaped and used in the insert query.Finally assigned to the hidden inside the form like somewhat below.

$msg = $_POST['msg_frm_js_functn'];
$msg = mysql_real_escape_string($msg);
echo "..<form name='frm' id='frm' method='post' action='".$ref."'>
<input type='hidden' name='hdn_msg' value='".$msg."' >
echo "<script>document.frm.hdn_msg.submit()</script>";

The messaged returned from here is displayed as -

$msg_show = str_replace("\'","'",$_POST['hdn_msg']);
$msg_show = str_replace('\"','"',$msg_show);
<div>Your message:<?=$msg_show?> </div>

Recommended Answers

All 5 Replies

Member Avatar

I don't follow are you backslashing (escaping) quotation marks (") and (') or commas (,)? Looks like quotation marks to me.

You can reverse the escaped string with stripslashes($string) before inserting it into your hidden field.

$hdn_msg = stripslashes($string_from_db);

<input name="hdn_msg" id="hdn_msg" value="<?php echo $hdn_msg;>" />


$msg_show = stripslashes($_POST['hdn_msg']);
<div>Your message:<?php echo $msg_show;?> </div>

Apologies if this isn't what you're looking for.

Its very weird! But nothing seems to work there.
Whatever we use for cleaning the string, it just cuts the string from there instead of working as expected

Member Avatar

Long shot: Is your field length long enough to accept the string?
Try is without mysql_real_escape_string() - do you still get a truncated msg?

Long shot: Is your field length long enough to accept the string?
Try is without mysql_real_escape_string() - do you still get a truncated msg?

That has been checked already; nothing wrong with the database, the string gets stored in the database with slashes and as a whole.
The database design is perfectly fine, all the field sizes are fine.
For example -
1)If user inputs "This is the best chemistry's book I have ever see" as a comment.
2)The string is passed as a parameter to the js function
(Now inside this function too, the string is fine, in the alert, no stripped string etc)
3)One form is submitted in the same page whose action is another script, which inserts data into database.
So now our string is assigned to hidden variable inside this form.

<input type="hidden" name="hdn" id="hdn" value="">

upto here its fine too.
4)Control goes to another script and

$str = mysql_real_escape_string($_POST['hdn']) is done.

The query -

$query = "insert into tbl (field1,field2) values ('".$something."','".addslashes($str)."') ";
$q = mysql_query($query);

It inserts into the database as

sr no  | field1 | field2
1    | data1   | This is the best chemistry\'s book I have ever seen

5)In this script after successful insertion the another form like below, is submitted, and its hidden field carries our $str.
<form method='post'>
<input type='hidden' name='msg_ins' value='<?=$str?>' >
Its action is our first script.
6)So the control is back to the first script, inside which we doing -

echo $_POST['msg_ins'];//this echoes "This is the best chemistry\" only and off course without quotes.this is weird I am saying.
$msg = str_replace("'\", "'", $_POST['msg_ins']);
$msg = str_replace('"\', '"', $_POST['msg_ins']);

I haven't seen such a weird problem so far, and have given so much explanatory post for it above...!!!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.