cheeseus cheeseus - 6 months ago 14
PHP Question

Escaping quotes in PHP from MySQL result (PDO)

The string to display comes from a MySQL table. I use PDO queries. The string contains double quotes:


Older spelling (from French). The modernized "petty larceny" is now preferred.


This is a definition of a dictionary entry that is displayed if available:

$search_results .= (!empty($english_definition)? "<a class=\"definition\" href=\"#\" data-toggle=\"popover\" rel=\"popover\"
data-content=\"".$english_definition."\">".$english."*</a>" : $english);


Because of the quotes, the definition is cut to after the word "modernized".

I tried using
addslashes()
but the result is that a single slash is displayed, and nothing after it.

I also tried adding slashes inside the table field, e.g.


Older spelling (from French). The modernized \"petty larceny\" is now preferred.


Without
stripslashes()
in the PHP code, only the first backward slash is displayed and nothing after it.

When I add
stripslashes()
, nothing is displayed after the word "modernized".

So, this is where I am stuck.

ADDITIONAL CODE:
This is how I insert new terms and definitions. I have added
htmlspecialchars()
for input where quotes could exist:

if(isset($_POST['submit'])) {

$english = htmlspecialchars($_POST['english']);
$english_abbr = $_POST['english_abbr'];
$variant = $_POST['variant'];
$bulgarian = htmlspecialchars($_POST['bulgarian']);
$bulgarian_abbr = $_POST['bulgarian_abbr'];
$theme_id = $_POST['theme_id'];
$english_definition = htmlspecialchars($_POST['english_definition']);
$bulgarian_definition = htmlspecialchars($_POST['bulgarian_definition']);

// Check if an entry already exists
$exists = $db->prepare("SELECT * FROM ".DICTIONARY_TABLE." WHERE english = :english AND theme_id = :theme_id ");
$exists->execute(array(':english' => $english, ':theme_id' => $theme_id));
$count = $exists->rowCount();
if($count > 0) {
echo "<h3 style=\"color:navy; background:transparent;\">&#8658; An entry in the same theme already exists.</h3>";
}
else {
$insert = $db->prepare("INSERT INTO ".DICTIONARY_TABLE."
(english, english_abbr, variant, bulgarian, bulgarian_abbr, theme_id)
VALUES
(:english, :english_abbr, :variant, :bulgarian, :bulgarian_abbr, :theme_id)");
$insert->execute(array(':english' => $english,
':english_abbr' => $english_abbr,
':variant' => $variant,
':bulgarian' => $bulgarian,
':bulgarian_abbr' => $bulgarian_abbr,
':theme_id' => $theme_id));

if($insert) {
echo "<h4 style=\"color:green; background:transparent;\">&#8658; Term \"$english\" inserted successfully.</h4>";

if(!empty($english_definition) || !empty($bulgarian_definition)) {
$insert_id = $db->lastInsertId();
$insert_def = $db->prepare(
"INSERT INTO ".DICTIONARY_DEFINITIONS."
(term_id, english_definition, bulgarian_definition)
VALUES
(:term_id, :english_definition, :bulgarian_definition)");
$insert_def->execute(array(
':term_id' => $insert_id,
':english_definition' => $english_definition,
':bulgarian_definition' => $bulgarian_definition));

if($insert_def) {
echo "<h4 style=\"color:green; background:transparent;\">&#8658; Definition(s) inserted successfully.</h4>";
}
else {
echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem inserting the definition(s)!</h4>";
}
}

unset($_POST); $_POST = array();
}
else {
echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem executing the query: </h4>";
}
}
include("insert_form.php");
}
else {
include("insert_form.php");
}

Answer

use htmlspecialchars() function when you save it to the database, and htmlspecialchars_decode() function when you want to echo it again.

Link to htmlspecialchars() function

Link to htmlspecialchars_decode() function