help : apostrophe/single quotation mark

Re: help : apostrophe/single quotation mark

dajava wrote:
Well, you didn't give enough information, so we cannot help really.
Some questions:

What is writing a message excactly?
Is that filling in some HTML-form that is submitted to a server?

What is previewing a message excactly?
Is that some JavaScript or does it include a trip to the server?

If so: what does the server do with it?
- some possibilities: Store it in a database, echo it back, store it in a
file.

And then: WHERE do these characters disappear? In a form? or as HTML?

A wild guess:
You write back to the client:
<input type="text" name="whatever" value='I can't do that'>

That is wrong.

If you need " or ' in your response back to the client, make sure you call
htmlentities() around the literal part you send back as value (or in any
other inputelement-value, also textareas).

Regards,
Erwin Moller

Re: help : apostrophe/single quotation mark

dajava wrote:
Google: mysql_real_esca pe_string

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Re: help : apostrophe/single quotation mark

On Mar 6, 7:05 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:I forward your wild guess to him.

Let me rephrase my question
with this hypothetical example with google groups.

-----------------------------

I arrived comp.lang.php
and type a message to ask a question.

entering/editing : This is a test. Don't you like this?
previewing : This is a test. Don't you like this? ( great so far)
Now, I click on POST button.
then, what the heck,
I got this : This is a test. Don

('t you like this? : these disappeared)
-----------------------------------------------

I cannot express myself well.
I do not know PHP.
I will post reply again
when I got e-mail from my friend.

Thanks anyway.

dajava,

Re: help : apostrophe/single quotation mark

dajava wrote:
Hi,

This is part that needs more words/a better description:
"I got this : This is a test. Don"

My problem is: 'I got this.'.
My exect problem is 'got'.

WHAT did you get WHERE?

Did the browser after submitting say that?
Or did it appear like that in some newsgroup?

In case of browser: Did the text appear like that in an input-element? Or as
plain HTML?
Did you look at the source of the HTML? (rightmousebutt on on the offending
page and select 'view source'.)

You should give us that information, or you will be stuck with my 'wild
guesses'.
;-)


Keep trying. :-)
That is a problem when discussing a PHP problem. Seriously, you, or your
friend, should know roughly what he is doing.
OK

Regards,
Erwin Moller

Re: help : apostrophe/single quotation mark


This is what he wrote to me yesterday.

------------------------------------------------------

' in code means end of line. therefore, ' and the rest of the senteces
were truncated.
Prewiewing is OK. But, the whole sentence will not saved into DB.

--------------------------------------------------------

and i found the source code.

<?

//
if(($write==3 || $write==11) && $writer != "" && $password != "" &&
$contents != "")
{
if($write==3 && $title != "") //
{
//
$query = "select * from Dora_Board order by no desc limit 0 ,
1";
@$result = mysql_query($qu ery, $Dora_DB);
@$data = mysql_fetch_arr ay($result);

if(strlen($titl e)>=100) //
{
$title_leng=100 ; //

if(strstr(subst r($data[1], 0, 100), " "))
$title_leng = $title_leng - 2;

$data[1] = substr($data[1], 0, $title_leng);
}

if($title != $data[1]) //
{
$query = "INSERT INTO `Dora_Board` (`Title` , `Writer`,
`Password`, `Contents`, `Date`, `Ip`) ";
$query = $query . "VALUES ('" . (string)$title . "', '" .
(string)$writer . "', '" . (string)$passwo rd . "', ";
$query = $query . "'" . (string)$conten ts . "', '" . (string)
$date . "', '" . (string)$ip . "')";

@$result = mysql_query($qu ery, $Dora_DB);
}
}
elseif($write== 11 && $no != "") //
{
//
$query = "select * from Dora_Board where no='" . $no . "'";
@$result = mysql_query($qu ery, $Dora_DB);
@$data = mysql_fetch_arr ay($result);

//
$query = "select * from Dora_Reply order by no desc limit 0 ,
1";
@$result = mysql_query($qu ery, $Dora_DB);
@$data_r = mysql_fetch_arr ay($result);

if($contents != $data_r[4] || $writer != $data_r[2]) //
{
if($data[7] == 0 || $data[7] == "") //
$data[7] = 1; //
elseif($content s != $data_r[4]) //
$data[7] = $data[7]+1; //

//
$query = "update `Dora_Board` set `Reply` = '" . $data[7] .
"' where `no` = '" . $no . "' Limit 1";
@$result = mysql_query($qu ery, $Dora_DB);

//
$query = "INSERT INTO `Dora_Reply` (`Main_no` , `Writer`,
`Password`, `Contents`, `Date`, `Ip`) ";
$query = $query . "VALUES ('" . (integer)$no . "', '" .
(string)$writer . "', '" . $password . "', ";
$query = $query . "'" . (string)$conten ts . "', '" . (string)
$date . "', '" . (string)$ip . "')";

@$result = mysql_query($qu ery, $Dora_DB);
}
}
}

//
elseif(($write= =6 || $write==14) && $writer != "" && $password != ""
&& $contents != "" && $no != "")
{
if($write==6 && $title != "" && $closed == "")
{
$query = "UPDATE `Dora_Board` SET `no` = '" . $no . "', `Title`
= '" . $title . "', `Writer` = '" . $writer . "', ";
$query = $query . "`Contents` = '" . $contents . "' WHERE `no`
=" . $no . " LIMIT 1";
}
elseif($write== 14 && $ro != "")
{
$query = "UPDATE `Dora_Reply` SET `no` = '" . $ro . "', `Writer`
= '" . $writer . "', ";
$query = "`Contents` = '" . $contents . "' WHERE `no` =" . $ro .
" LIMIT 1";
}
@$result = mysql_query($qu ery, $Dora_DB); //입력 쿼리 실행
}

// )
elseif(($write= =8 || $write==16) && $no !="" && $password != "")
{
//.
$query = "select * from Dora_Board where no='" . $no . "'";
@$result = mysql_query($qu ery, $Dora_DB);
@$data = mysql_fetch_arr ay($result);

//
if($write==8 && $data[3] == crypt($password , 'ì”¨ì•—í‚¤ì›Œë“ œ') && $data[7]
== "" || $data[7] == "0")
{
$query = "delete from `Dora_Board` where `no` = '" . $no .
"'";
@$result = mysql_query($qu ery, $Dora_DB);
}

//
elseif($write== 16 && ro != "")
{
//
$query = "select * from Dora_Reply where no='" . $ro . "'";
@$result = mysql_query($qu ery, $Dora_DB);
@$data_r = mysql_fetch_arr ay($result);

//
if($data_r[3] == crypt($password , '씨앗 키워드'))
{
$query = "delete from `Dora_Reply` where `no` = '" . $ro .
"'";
@$result = mysql_query($qu ery, $Dora_DB);

//
$data[7] = $data[7] -1;
$query = "update `Dora_Board` set `Reply` = '" . $data[7] .
"' where `no` = '" . $no . "' Limit 1";
@$result = mysql_query($qu ery, $Dora_DB);
}
}
}

include("./board.php"); //

?>


dajava,

Re: help : apostrophe/single quotation mark

dajava wrote:
As I said -- mysql_real_esca pe_string(). Replace the above with:

$query = sprintf("INSERT INTO Dora_Board (Title, Writer, Password, Contents, Date, Ip)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s');",
mysql_real_esca pe_string($titl e),
mysql_real_esca pe_string($writ er),
mysql_real_esca pe_string($pass word),
mysql_real_esca pe_string($cont ents),
mysql_real_esca pe_string($date ),
mysql_real_esca pe_string($ip)) ;

There are several other chunks of code that need rewriting similarly, but
that should fix the immediate problem.

If you don't fix these problems your site is open to being cracked by
nasty people. Yes, really.

Google: mysql_real_esca pe_string.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Re: help : apostrophe/single quotation mark

On Mar 7, 6:48 am, Toby A Inkster <usenet200...@t obyinkster.co.u k>
wrote:Hi,

I received an e-mail form him a moment ago.
He fixed the ' problem based on your advice.

Two comments of mine:
1.
mysql_real_esca pe_string is not part of PHP 4.0
Therefore, he did some researches on internet
and found out that it is part of PHP 4.3.
2. He just used your codes,
he doesn't know rational behind mysql_real_esca pe_string. Lol...

I would like to thank Erwin and Tony for helping my frined.

dajava,

Re: help : apostrophe/single quotation mark

dajava wrote:
The rationale is thus:

The apostrophe character (') has a special meaning in SQL in that it
delimits (i.e. marks the beginning and end of) text. For example:

UPDATE my_table SET my_col='Hello World!';

Now, imagine that your text contains an apostrophe:

UPDATE my_table SET my_col='It's Raining Men';

Because the apostrophe is used to mark the end of some text, the above is
interpreted by the SQL engine as:

UPDATE my_table SET my_col='It'

with some spurious text after it.

mysql_real_esca pe_string(), and equivalent functions for other databases,
is used to encode the apostrophes (and other special characters) to make
them safe to use in SQL.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Re: help : apostrophe/single quotation mark

dajava wrote:
I believe there is an older mysql_escape_st ring() in some versions of PHP.

Also, for many purposes the addslashes() function will suffice, and that's
been part of PHP for many moons.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!