Results 1 to 4 of 4

Thread: Escaping a String

  1. #1
    Join Date
    Aug 2007

    Escaping a String

    Hi all

    I have this pesky bug in my system and i'll try to explain it briefly.

    I pull out data from the database and via PHP/HTML output a list of user accounts.

    In some cases some of the data in the customer account contains a single quote, e.g:

    Mr Joe Bloggs
    12 My Street's Name
    My Town
    My City

    Now I run a javascript function via the onclick event of that HTML table row in my page and I pass the customer details to another script. This is my function (broken down for simplicity) from the HTML page:

    onclick='useContactDetails("<?php echo mysql_real_escape_string($firstname); ?>","<?php echo mysql_real_escape_string($lastname); ?>","<?php echo mysql_real_escape_string($row['address1']); ?>");'
    Now this breaks my javascript and the error console message I get is as follows:

    Error: SyntaxError: unterminated string literal
    Source Code:
    useContactDetails("Mr","Joe","Bloggs","12 My Street\
    How can I get around this problem?

    Many Thanks for reading.


  2. #2
    Join Date
    Oct 2010
    Versailles, France
    Replace, in your database, all single quote by a &apos; or a typographic apostrophe ( ), also known as the typset apostrophe, or, informally, the curly apostrophe obtain with alt 0146.

  3. #3
    Join Date
    Mar 2005
    Behind you...
    First, I'll play you this old broken record that says you shouldn't be using the old 'mysql' commands in PHP as they are far less secure than more recent implementations (eg. mysqli or PDO) and all of those functions were removed from PHP as of version 5.5 (thus your script breaks when/if your server updates it's version of PHP).

    Upon further review (of the simplicity of this problem), I've boiled down the answer to be as simple as possible.
    Start using urlencode() (and urldecode() respectively) when passing strings through PHP to MySQL and back. Using urlencode() before putting a string into a javascript variable will prevent your issue. And when you need to decode this string you can simply use the unescape() function in javascript to display a normal version of your string.
    Last edited by Sup3rkirby; 05-27-2014 at 03:53 PM.
    "Given billions of tries, could a spilled bottle of ink ever fall into the words of Shakespeare?"

  4. #4
    uhm... why are you using mysql_real_escape_string for your HTML OUTPUT? That doesn't even make sense! (of course since this is 2014 not 2004, why are you using mysql_ functions in the first place?!?)

    If it's output in a html attribute, you should be using htmlspecialchars, NOT mysql_real_escape_too_blasted_long_a_name....


    NOT that using the onevent attributes is all that great an idea anymore either. Good scripting should hook existing elements, not be static code in the middle of the markup... just as a well written page should be made to work without scripting FIRST.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center