[ciapug] The quote trouble

[Barry Von Ahsen]

Claus wrote:

> Hello
> 
> This time a more specific questions.  What do you do with user input 
> that potentially could include single and double quotes.  Single quotes 
> will cause problems with my sql statements (postgresql in my case) and 
> double quotes with the html code (i.e. value attribute of a form field).
> 
> Do you add escape characters each time you do an SQL code (i.e. a second 
> single quote) and when including them in value attributes (i.e. 
> backslash).  Or do you store the data after it has been converted with 
> htmlspecialchars() (i.e. double quote becomes &quot and single quote 
> becomes &#039).  Or do you have a better way to do it?
> 

this may be taken care of by the server: there is a php.ini directive 
called magic_quotes_gpc.  If not you can use addslashes().  See: 
http://us2.php.net/manual/en/function.addslashes.php - it talks about both.

The gotcha with magic_quotes_gpc is on is that if form2 echoes data from 
form1 and someone's name is O'Malley in form1, it will display as 
O\'Malley in form2 (and of course on form3 it will show as O\\\'Malley). 
  but then you can use stripslashes() to undo that.

I also use ADODB for db abstraction and it has a function to quote 
special characters, and I assume that it knows which characters are 
special to whichever database you're using

-barry