nTuply nTuply - 1 year ago 93
PHP Question

Double quotes in DB breaking HTML Output

I've tried everything, and I still can't figure it out.

, I just can't understand why double quotes are not displaying on my website.

$sql = $con->prepare("SELECT * FROM `user_settings` WHERE `user_session` = '$user_session'");
$sql -> execute();

$result = $sql->fetchAll(PDO::FETCH_ASSOC);

foreach ($result as $row) {
$advertising_1 = $row['advertising_1'];
$advertising_2 = $row['advertising_2'];
$website_name = $row['website_name'];
$website_url = $row['website_url'];
$statistics = $row['statistics'];
echo '<input type="text" name="website_name" placeholder="Your Website URL" value="'. $website_name. '" />' ?>

Can someone please explain where I'm going wrong here? Problem arises with Double quotes in my string. Single quotes was fixed with mysql_escape but it appears to be deprecated.

Answer Source

You need to escape the data you are outputting to the browser use htmlspecialchars and use the quotes constant (ENT_QUOTES) so all quotes are converted to entities. Note this also is how XSS injections are prevented/performed. Elements/attributes are closed when they aren't suppose to be and then malicious code is written.

echo htmlspecialchars('Encode all of these "test" test \'test \'', ENT_QUOTES);


Encode all of these &quot;test&quot; test &#039;test &#039;

and in a browser:

Encode all of these "test" test 'test '

Also from the code you displayed you are misusing prepared statements. Values need to be bound, not concatenated to your query. This way the PDO driver will handle the quoting/escaping. This could result in similar issues for you in the future, if you continue to use it as you have it. Also opens you to SQL injections.

For more information on prepared statements see: http://php.net/manual/en/pdo.prepared-statements.php

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download