Possible escaping quotes problem

Question

niche1 0 Junior Poster in Training

12 Years Ago

This script displays the way I need it to when I manually insert it into my script with the correct value for $expdat: Expires ' . $expdat . '.

How should I escape the quotes to be able to echo it from a mysql table?

If I just INSERT it (as is) into a mysql table and echo it from there, it displays as: Expires ' . $expdat . '.

php

5 Contributors
16 Replies
195 Views
4 Days Discussion Span
Latest Post 12 Years Ago Latest Post by hielo

All 16 Replies

MooGeek 16 Posting Whiz

12 Years Ago

Hello!

Try this one

http://php.net/manual/en/function.mysql-real-escape-string.php

Cheers!

hielo 65 Veteran Poster

12 Years Ago

//connect to db first
...
$expdat='July 20, 2012';
$theValue='<span style="background-color:yellow">Expires ' . $expdat . '. </span>';

//escape the value you are about to insert into the table:
$theValue = mysql_real_escape_string($theValue);

//provide the correct name for your table and your field
mysql_query( "INSERT INTO `tableName`(`fieldName`) VALUES('" . $theValue . "')" ) or die( mysql_error() );

//now if you select the inserted value you should be able to get what you inserted.
...

Stefano Mtangoo 455 Senior Poster

12 Years Ago

Except $theValue comes from a mysql table. That, apparently, changes things. I've been struggling with this. If you needed to display: Expires ' . $expdat . '. from a mysql table.
and $expdat = 06/09/12
How would you do it?

What is your question? Escape data for DB or echoing escaped data? Your question is ambiguous!

Stefano Mtangoo 455 Senior Poster

12 Years Ago

the 2nd, it comes from the mysql table (with double quotes escaped: Expires $expdat.. There's something being lost when the value comes from the table.

The problem is how you insert than the display part. Show us relevant code of your insert, especially how you construct SQL query!

faroukmuhammad commented: Yes, there may be mokey business inside the table +3

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

niche1 0 Junior Poster in Training · Answer 1 · 2011-07-20T11:43:00+00:00

Except $theValue comes from a mysql table. That, apparently, changes things. I've been struggling with this. If you needed to display: Expires ' . $expdat . '. from a mysql table.

and $expdat = 06/09/12

How would you do it?

niche1 0 Junior Poster in Training · Answer 2 · 2011-07-20T20:40:19+00:00

echoing escaped data from a database

This displays properly:

$dclaim = "<span style=\"background-color:yellow\">Expires   $expdat.</span>";
$var = eval("return '" . $dclaim . "';");
echo '<p style="font-size:9px;margin:0px;">' . $var . '</p>';

This doesn't and I don't know why:

//$dclaim same as above except from a mysql table including escaped quotes
$var = eval("return '" . $dclaim . "';");
echo '<p style="font-size:9px;margin:0px;">' . $var . '</p>';

What am I missing?

ko ko 97 Practically a Master Poster · Answer 3 · 2011-07-20T21:26:40+00:00

ko ko 97 Practically a Master Poster

12 Years Ago

Perhaps, stripslash() can help you.

Stefano Mtangoo 455 Senior Poster · Answer 4 · 2011-07-20T21:48:59+00:00

echoing escaped data from a database

This displays properly:

$dclaim = "<span style=\"background-color:yellow\">Expires   $expdat.</span>";
$var = eval("return '" . $dclaim . "';");
echo '<p style="font-size:9px;margin:0px;">' . $var . '</p>';

This doesn't and I don't know why:

//$dclaim same as above except from a mysql table including escaped quotes
$var = eval("return '" . $dclaim . "';");
echo '<p style="font-size:9px;margin:0px;">' . $var . '</p>';

What am I missing?

what does it print? How do you insert in Database?

niche1 0 Junior Poster in Training · Answer 5 · 2011-07-20T22:00:33+00:00

the first example (the one that works) displays (in yellow): Expires 06/09/12.

the second example (the no go) displays (without yellow): Expires $expdat.

the 1st example $dclaim is manually coded and in the 2nd, it comes from the mysql table (with double quotes escaped: Expires $expdat.. There's something being lost when the value comes from the table.

ko ko 97 Practically a Master Poster · Answer 6 · 2011-07-20T22:48:04+00:00

ko ko 97 Practically a Master Poster

12 Years Ago

Are you meaning '$expdat' is from MySQL database ? Did you store as variable ?

niche1 0 Junior Poster in Training · Answer 7 · 2011-07-20T23:59:48+00:00

SQL query:

include_once "connect_to_mysql.php";
$result = mysql_query("SELECT * FROM stk WHERE id = 288") or die(mysql_error());
while ($row = mysql_fetch_array($result)) {
$id = $row;
&pic = $row;
$pic2 = explode("-",$pic);
$expdate = $pic2[3];
$expdat = substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);
$dclaim = $row;
}

value in $expdat = 06/09/12
value in $dclaim = Expires $expdat.

The hole in my script looks like this:

< div>

Something that says "Expires 06/09/12." with a yellow BG ;
</div>

I tried to get the display i need with:

$var = eval("return '" . $dclaim . "';");
echo '' . $var . '';

I get (without yellow BG): Expires $expdat.

Instead of what I need (with yellow BG): Expires 06/09/12

What am I missing?

niche1 0 Junior Poster in Training · Answer 8 · 2011-07-21T06:03:05+00:00

I got this to work:

$db_val = $dclaim;
				$replaced = sprintf($db_val, $expdat);
                echo '<p style="font-size:9px;margin:0px;">' . $replaced . '</p>';

Thanks for everyone's help,

Niche

Stefano Mtangoo 455 Senior Poster · Answer 9 · 2011-07-21T17:04:41+00:00

SQL query:
include_once "connect_to_mysql.php";
$result = mysql_query("SELECT * FROM stk WHERE id = 288") or die(mysql_error());
while ($row = mysql_fetch_array($result)) {
$id = $row;
&pic = $row;
$pic2 = explode("-",$pic);
$expdate = $pic2[3];
$expdat = substr($expdate,2,2) . "/" . substr($expdate,4,2) . "/" . substr($expdate,0,2);
$dclaim = $row;
}
value in $expdat = 06/09/12
value in $dclaim = Expires $expdat. 
The hole in my script looks like this:
< div>
Something that says "Expires 06/09/12." with a yellow BG ;
</div>
I tried to get the display i need with:
$var = eval("return '" . $dclaim . "';");
echo '' . $var . '';
I get (without yellow BG): Expires $expdat.
Instead of what I need (with yellow BG): Expires 06/09/12
What am I missing?

show how you insert into database!

niche1 0 Junior Poster in Training · Answer 10 · 2011-07-21T20:29:52+00:00

Please excuse me. Here's the code. It inserts (using UPDATE) some html/css and a php value to be displayed by a sprintf() function. The content that was the source of my question is:"Expires %s. " Your guidance on this is very appreciated.:

//do this provided there's disclaimers to process
if (strlen($dclaim_sum_val > 0)) {
  //while there's disclaimers to add 
  while ($counter < $reps) {
    //get id value for disclaimer
	$dc_num = $dclaim_sum_val2[$counter];
    //get disclaimer text for id value
	include "connect_to_mysql.php";
        $claim_select = mysql_query("SELECT * FROM disclaimers WHERE id = " . $dc_num . "") or die(mysql_error());
	//parse result of mysql_query
	$claim_select2 = mysql_fetch_array($claim_select);
	$claim_select3 = $claim_select2['disclaimer'];
	$dc_num = "'" . $dclaim_sum_val2[$counter] . "'";
	$claim_select3 = "'" . $claim_select2['disclaimer'] . "'";
	//add selected disclaimers to stk table
	include "connect_to_mysql.php";
	//mysql_query("UPDATE stk SET dclaim_sum = CONCAT(dclaim_sum," . $dc_num . "), dclaim = CONCAT(dclaim," . $claim_select3 . ")  WHERE id = " . $upc_key . "") or die(mysql_error());
    mysql_query("UPDATE stk SET dclaim = CONCAT(dclaim," . $claim_select3 . ")  WHERE id = " . $upc_key . "") or die(mysql_error());
	//mysql_query("UPDATE stk SET dclaim_sum = CONCAT(dclaim_sum," . $dc_num . ")  WHERE id = " . $upc_key . "") or die(mysql_error());
	
	//advance the counter
	$counter++;
  }
}

Stefano Mtangoo 455 Senior Poster · Answer 11 · 2011-07-22T14:51:23+00:00

Replace the code

mysql_query("UPDATE stk SET dclaim = CONCAT(dclaim," . $claim_select3 . ")  WHERE id = " . $upc_key . "") or die(mysql_error());

with code below and tell us what it displays:

echo "UPDATE stk SET dclaim = CONCAT(dclaim," . $claim_select3 . ")  WHERE id = " . $upc_key . "";
die();

hielo 65 Veteran Poster · Answer 12 · 2011-07-24T23:03:57+00:00

first of all on your post above, &pic = $row['pic']; should be $pic = $row['pic']; .

From that post, I can see that $expdat is derived from the value you have in the `pic` column of your `stk` table. So you need to show where you are updating `stk`.`pic` . What you posted shows where you are updating `stk`.`dclaim` , but that is NOT the problem. Look through your code and see where you are updating `stk`.`pic` and then post it here.

Possible escaping quotes problem

Recommended Answers Collapse Answers

All 16 Replies

Recommended Answers