Escaping a String
I have this pesky bug in my system and i'll try to explain it briefly.
I pull out data from the database and via PHP/HTML output a list of user accounts.
In some cases some of the data in the customer account contains a single quote, e.g:
Mr Joe Bloggs
12 My Street's Name
onclick='useContactDetails("<?php echo mysql_real_escape_string($firstname); ?>","<?php echo mysql_real_escape_string($lastname); ?>","<?php echo mysql_real_escape_string($row['address1']); ?>");'
How can I get around this problem?
Error: SyntaxError: unterminated string literal
useContactDetails("Mr","Joe","Bloggs","12 My Street\
Many Thanks for reading.
Replace, in your database, all single quote by a ' or a typographic apostrophe ( ’ ), also known as the typset apostrophe, or, informally, the curly apostrophe obtain with alt 0146.
First, I'll play you this old broken record that says you shouldn't be using the old 'mysql' commands in PHP as they are far less secure than more recent implementations (eg. mysqli or PDO) and all of those functions were removed from PHP as of version 5.5 (thus your script breaks when/if your server updates it's version of PHP).
Upon further review (of the simplicity of this problem), I've boiled down the answer to be as simple as possible.
uhm... why are you using mysql_real_escape_string for your HTML OUTPUT? That doesn't even make sense! (of course since this is 2014 not 2004, why are you using mysql_ functions in the first place?!?)
If it's output in a html attribute, you should be using htmlspecialchars, NOT mysql_real_escape_too_blasted_long_a_name....
NOT that using the onevent attributes is all that great an idea anymore either. Good scripting should hook existing elements, not be static code in the middle of the markup... just as a well written page should be made to work without scripting FIRST.