[SOLVED] Apostrophe headaches

This topic is locked

[SOLVED] Apostrophe headaches	5/30/2012 4:47:43 PM
PHPRunner General questions
bbarker author I resolved one problem recently by modifying my query to `WHERE users_usr.nam usr = '".db_addslashes($_SESSION['UserID'])."'");` But now I see that users are adding all kinds of apostrophes (") into other text fields. And it shows up as a tiny box on the screen. Example: http://vcca.org/events_listdetails.php?ID='15'; See the "Information" field. When I look at the database, the apostrophes are saved as a vertical line. -- So my question is: Do I need to add some kind of "addslashes" to EVERY field that accepts user entry? And if so, is this done as an html mod on the Visual Editor page? ... for EVERY field??? arghhhhh.... Do I need to add something like this whenever I pull from the database and want to display it on a web page? Most of the previous postings about this issue were between 2004 and 2008. And there was a lot of discussion about PHPR "fixing" this problem with Version 5. But I know that PHP and MySQL are moving targets. Is there a uniform way to gracefully accept all apostrophes in all entries?

Mark as Solved Mark as not solved

6 replies


P	procheck 5/30/2012
	You're probably looking at using mysqli_real_escape_string(). It could be a lot of work. You could disallow apostophes but that might be unacceptable for your application.


	Sergey Kornilov admin 5/30/2012
	You should prevent unwanted characters in your database. Add validation to those text fields to allow entering numbers only. Another option is to use masked edit control.


	bbarker author 5/30/2012
	You should prevent unwanted characters in your database. Add validation to those text fields to allow entering numbers only. Another option is to use masked edit control. Thanks... I understand the "numbers" option. But safeguarding the "text" WHEN USING PHPR is still a mystery. I just researched for 2 hours about mysqli_real_escape_string but it's not highly recommended by a large number of the expert community. !?!? So -- "...use masked edit control" How do I do that in a 1,000 varchar field that is open to 8,000 members who are entering (unclean) Event Information? It appears that only the Apostrophes are causing the issues.


	Sergey Kornilov admin 5/30/2012
	I assumed that you were talking about a numeric field. If you are talking about a normal text field - PHPRunner automatically screens apostrophes using mysqli_real_escape_string() or similar functions. Probably you are talking about some other characters i.e. about curly quotes that Word uses instead of normal double quotes. You will need to convert those curly quotes to their HTML representation. Probably the best option for you is to use Rich Text Editor option for editing and 'View as' type HTML. More info about handling curly quotes in HTML: http://www.dwheeler.com/essays/quotes-in-html.html


	bbarker author 5/31/2012
	....Probably you are talking about some other characters i.e. about curly quotes that Word uses instead of normal double quotes. You will need to convert those curly quotes to their HTML representation. Probably the best option for you is to use Rich Text Editor option for editing and 'View as' type HTML. More info about handling curly quotes in HTML: http://www.dwheeler.com/essays/quotes-in-html.html Yes, Yes, YES!!!! That was it. I just went in and over-wrote the input that the user entered. And they DID use slanted apostrophes -- and curly quotes. As soon as I overtyped them with normal characters, the disply was immediately cleaned up!!!!! Hooray!!!!! So, now I like your idea about using a Rich Text Editor... I'll work on that next. Sergy, thanks for responding AGAIN tonight. I know that it must be late for you -- but you helped me resolve a long standing problem!! Lesson Learned when entering lots of text: Don't use ` - instead use ' Don't use "curly" quotes - instead use "


	bbarker author 5/31/2012
	I added the Basic Rich Text Editor-- and it allowed me to replace all of the offending QUOTES and APOSTROPHES. Problem now resolved. Thanks for the support!!!! And I'm REALLY glad that I didn't have to add the mysqli_real_escape_string() change. Ouch.

6 replies

Mark as Solved Reply