cheeseus cheeseus - 2 years ago 75
PHP Question

Escaping quotes in PHP from MySQL result (PDO)

The string to display comes from a MySQL table. I use PDO queries. The string contains double quotes:

Older spelling (from French). The modernized "petty larceny" is now preferred.

This is a definition of a dictionary entry that is displayed if available:

$search_results .= (!empty($english_definition)? "<a class=\"definition\" href=\"#\" data-toggle=\"popover\" rel=\"popover\"
data-content=\"".$english_definition."\">".$english."*</a>" : $english);

Because of the quotes, the definition is cut to after the word "modernized".

I tried using
but the result is that a single slash is displayed, and nothing after it.

I also tried adding slashes inside the table field, e.g.

Older spelling (from French). The modernized \"petty larceny\" is now preferred.

in the PHP code, only the first backward slash is displayed and nothing after it.

When I add
, nothing is displayed after the word "modernized".

So, this is where I am stuck.

This is how I insert new terms and definitions. I have added
for input where quotes could exist:

if(isset($_POST['submit'])) {

$english = htmlspecialchars($_POST['english']);
$english_abbr = $_POST['english_abbr'];
$variant = $_POST['variant'];
$bulgarian = htmlspecialchars($_POST['bulgarian']);
$bulgarian_abbr = $_POST['bulgarian_abbr'];
$theme_id = $_POST['theme_id'];
$english_definition = htmlspecialchars($_POST['english_definition']);
$bulgarian_definition = htmlspecialchars($_POST['bulgarian_definition']);

// Check if an entry already exists
$exists = $db->prepare("SELECT * FROM ".DICTIONARY_TABLE." WHERE english = :english AND theme_id = :theme_id ");
$exists->execute(array(':english' => $english, ':theme_id' => $theme_id));
$count = $exists->rowCount();
if($count > 0) {
echo "<h3 style=\"color:navy; background:transparent;\">&#8658; An entry in the same theme already exists.</h3>";
else {
$insert = $db->prepare("INSERT INTO ".DICTIONARY_TABLE."
(english, english_abbr, variant, bulgarian, bulgarian_abbr, theme_id)
(:english, :english_abbr, :variant, :bulgarian, :bulgarian_abbr, :theme_id)");
$insert->execute(array(':english' => $english,
':english_abbr' => $english_abbr,
':variant' => $variant,
':bulgarian' => $bulgarian,
':bulgarian_abbr' => $bulgarian_abbr,
':theme_id' => $theme_id));

if($insert) {
echo "<h4 style=\"color:green; background:transparent;\">&#8658; Term \"$english\" inserted successfully.</h4>";

if(!empty($english_definition) || !empty($bulgarian_definition)) {
$insert_id = $db->lastInsertId();
$insert_def = $db->prepare(
(term_id, english_definition, bulgarian_definition)
(:term_id, :english_definition, :bulgarian_definition)");
':term_id' => $insert_id,
':english_definition' => $english_definition,
':bulgarian_definition' => $bulgarian_definition));

if($insert_def) {
echo "<h4 style=\"color:green; background:transparent;\">&#8658; Definition(s) inserted successfully.</h4>";
else {
echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem inserting the definition(s)!</h4>";

unset($_POST); $_POST = array();
else {
echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem executing the query: </h4>";
else {

Answer Source

use htmlspecialchars() function when you save it to the database, and htmlspecialchars_decode() function when you want to echo it again.

Link to htmlspecialchars() function

Link to htmlspecialchars_decode() function

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download