I'm trying to pass a word that has the char ' or " in the middle of it.
it's one of the fields in a form, so when I submit, the next page gets only the part of the word before the " or ' char. I tried using mysql_real_escape_string() but this just adds a slash so I get half a word with a slash..

<form>...
echo'<OPTION VALUE="'.mysql_real_escape_string($rowName['Name']).'">'.$rowName['Name'];
</form>...

if the word is my"hom'e all I get is my/

how can I get the exect word my"hom'e completely?

Recommended Answers

All 11 Replies

i think you will have to search for individual single quotes and double quotes. also you will have to check for the context in which they are being used in.

use the following code to check if single quotes and double quotes exist of not.

<?php

$val="hello'free\"bye\"'";

echo $val;

$length=strlen($val);
echo"<br />";
echo $length."<br />";
$i=0;

while($i<$length)
{
if($val[$i]=='\'')
{
echo "found single quote<br />";
}//end if
else if($val[$i]=='"')
{
echo "found double quote<br />";

}//end else if
$i++;

}//end while

?>

the result out put will be:

hello'free"bye"'
16
found single quote
found double quote
found double quote
found single quote

there are 2 single quotes and 2 double quotes. as they are encountered, i am printing the message.

I'm not interested in knowing if the chars are there..I know they are, I want to pass the whole word via POST without it being cut off, the code that handles the submitted form MUST get the word WITH those chars...so removing them won't help here

If you're using value="" (double quotes) you can put single quote in them. If youre using quote='' (single quote) you can put double quotes in them. If you want to mix it, you need to pick one and change the second one to HTML entities, example:

<option value="this is a value with a &quot; and a ' in it">
<option value='this is another one, with both a " and a &squot; in it'>

Replace the characters with strreplace()

thanks BTMPL!

htmlentities does this for you

the strreplace() did the trick.. but now I'm having another problem lol

how can I look for a record in DB with a value that has BOTH of these chars?

$val=a"b'c; //assume this is the string
$query="select * from tblx where tblx.a=$val";

the query gives errors of course no matter how I play with the chars..and I can't replace them here cuz in the DB that's how the word saved so it won't match if I change it..

Uh, you can't do that in SQL.

In SQL you have to escape special characters, so

" becomes \"
' becomes \'

And the query should end up looking like this:

$query = 'SELECT * FROM `tblx` WHERE tblx.a = "value with a \" in it"';

Also, it is unsafe to use plain queries - please look into PDO. If you need to stick qith plain queries, keep in mind: never us a value goten from outside sources (GET, POST) in a query without sanitizing it first. Check the PHP function mysql_real_escape_string for more info.

So, if you need to get the above code working, try this:

$val = 'a string with " in it';
$query = 'SELECT * FROM `tblx` WHERE tblx.a = "'.mysql_real_escape_string($val).'"';

nop doesn't work... I used this function to insert strings but with select it gives me this error
for this $val=a"b'c
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"b\'c;"' at line 1

First of all,

$val=a"b'c;

would end up in parse error.

Second - output the query you're using (echo $query after you've completed it) and paste it here please.

Oh yes it does work! had a quote missing lol
oh how much I hate those quotes!!

thanks everybody!!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.