Apostrophe issue

I have a photo album page written in PHP where I pull captions and such from
an SQL
database and the result is of course an HTML page.

My problem is with the use of an apostrophe (single quote) and other such
characters as they break my HTML. I'm also using javascript and it's a
problem there as well.

How should I store such characters in SQL, or maybe just how should I read
them out so they can't break my code, yet they show up on the screen fine?

The method I use to insert such characters works without problems. In the
SQL I get what was intended... e.g. Ginny's Wedding

However when I pull it out I get this: (seemingly correct)

src="data/293/0/cover3.jpg" alt="Ginny's Wedding"
onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"
onMouseOut="clearit();">


....But then my JS broken because the text is in single quotes and another
extra one breaks it.



--
Shawn Wilson

Re: Apostrophe issue

On Fri, 16 Sep 2005 22:06:53 GMT, "Shawn Wilson"
wrote:

>I have a photo album page written in PHP where I pull captions and such from
>an SQL
>database and the result is of course an HTML page.
>
>My problem is with the use of an apostrophe (single quote) and other such
>characters as they break my HTML. I'm also using javascript and it's a
>problem there as well.
>
>How should I store such characters in SQL, or maybe just how should I read
>them out so they can't break my code, yet they show up on the screen fine?
>
>The method I use to insert such characters works without problems. In the
>SQL I get what was intended... e.g. Ginny's Wedding
>
>However when I pull it out I get this: (seemingly correct)
>
> >src="data/293/0/cover3.jpg" alt="Ginny's Wedding"
>onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"
>onMouseOut="clearit();">

>
>...But then my JS broken because the text is in single quotes and another
>extra one breaks it.

Shawn:

Refer to these:
http://us2.php.net/manual/en/function.htmlspecialchars.php
http://us2.php.net/manual/en/function.htmlentities.php

Since what you seem to be pulling from the data table is simple text
to populate the display, they ought to work for you.

Re: Apostrophe issue

"Tyrone Slothrop" wrote in message
news:ssrmi1prktr03p7n1hekb2knfje1cleanu@4ax.com...
> On Fri, 16 Sep 2005 22:06:53 GMT, "Shawn Wilson"
> wrote:
>
>>My problem is with the use of an apostrophe (single quote) and other such
>>characters as they break my HTML. I'm also using javascript and it's a
>>problem there as well.
>>
>>The method I use to insert such characters works without problems. In the
>>SQL I get what was intended... e.g. Ginny's Wedding
>>
>> >>src="data/293/0/cover3.jpg" alt="Ginny's Wedding"
>>onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"
>>onMouseOut="clearit();">

>>
>>...But then my JS broken because the text is in single quotes and another
>>extra one breaks it.
>
> Shawn:
>
> Refer to these:
> http://us2.php.net/manual/en/function.htmlspecialchars.php
> http://us2.php.net/manual/en/function.htmlentities.php
>
> Since what you seem to be pulling from the data table is simple text
> to populate the display, they ought to work for you.

Well, that converts my single quote to ['], but that also breaks the
javascript.

Maybe I need to move on to a JS group for this one.

--
Shawn Wilson

Re: Apostrophe issue

> >>My problem is with the use of an apostrophe (single quote) and other such
> >>characters as they break my HTML. I'm also using javascript and it's a
> >>problem there as well.

Text in javascript strings that could have apostrophes must be escaped.
The javascript escape character is a backslash. To do this see the user
notes under - search that entry for
"javascript".

---
Steve

Re: Apostrophe issue

"Steve" wrote in message
news:1127128143.582679.46850@g43g2000cwa.googlegroups.com...
>
>> >>My problem is with the use of an apostrophe (single quote) and other
>> >>such
>> >>characters as they break my HTML. I'm also using javascript and it's a
>> >>problem there as well.
>
> Text in javascript strings that could have apostrophes must be escaped.
> The javascript escape character is a backslash. To do this see the user
> notes under - search that entry for
> "javascript".

Yeah, that's what I ended up doing is slashing it with addslashes()...
although that created it's own little bump since I use that same php
variable for the image's alt tag and HTML leaves the slash there so I got
"Ginny\'s Wedding" as the image alt tooltip. Had to add another variable
(one slashed and one not) to get it right.

The thing with extended ASCII encoding is that it still broke my JS. I
don't know which character it didn't like, the ampersand or the semicolon
maybe, but either way it also broke the script. The escaping is what I had
to go with.

Would anyone suggest escaping things before I put them into SQL in the first
place? Currently the method I use to insert into SQL has no problem with
not escaping them... probably because it's escaping them by itself during
insert
only the resulting SQL does not have slashes in it.

Is it just a general good practice to write [Ginny\'s Wedding] to the DB
instead of [Ginny's Wedding] ? Or does it not matter as long as I make it
work for me either way?

--
Shawn Wilson

Re: Apostrophe issue

> I have a photo album page written in PHP where I pull captions and such from
> an SQL
> database and the result is of course an HTML page.
>
> My problem is with the use of an apostrophe (single quote) and other such
> characters as they break my HTML. I'm also using javascript and it's a
> problem there as well.
>
> How should I store such characters in SQL, or maybe just how should I read
> them out so they can't break my code, yet they show up on the screen fine?
>
> The method I use to insert such characters works without problems. In the
> SQL I get what was intended... e.g. Ginny's Wedding
>
> However when I pull it out I get this: (seemingly correct)
>
> > src="data/293/0/cover3.jpg" alt="Ginny's Wedding"
> onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"
> onMouseOut="clearit();">

>
> ...But then my JS broken because the text is in single quotes and another
> extra one breaks it.


Assuming that you really have "Ginny's Wedding" in the database (which
is correct approach) and you retrieve it from database correctly (still
have "Ginny's Wedding", not for example "Ginny\'s Wedding) into variable
called for example $name, then you could do it like this:

//$ident = 'img_two';
//$name = "Ginny's Wedding";
//$location = 'data/293/0/cover3.jpg';

function js_escape_string( $text )
{
return addcslashes( $text, '\'\\"'."\n\r" );
}
$id = htmlspecialchars( $ident );
$src = htmlspecialchars( $location );
$alt = htmlspecialchars( $name );
$onmouseover = htmlspecialchars( "switchit('" . js_escape_string( $name ) . "');" );
$onmouseout = htmlspecialchars( 'clearit();' );
printf(
'',
$id, $src, $alt, $onmouseover, $onmouseout
);
?>


Function "js_escape_string" is designed to escape strings the way the JavaScript
expects, so they can be placed as part of JavaScript strings. "htmlsiecialchars"
is used to change characters which are special in HTML to their entity representation
(it'll work OK for attribute values enclosed with double quotes, if you want to
use single quotes, then you'll have to use "htmlspecialchars" function optional
parameter to make it also encode single quote char).


Hilarion

PS.: "addslashes" function should not be used in place of "addcslashes" because
it does NOT escape many chars that JavaScript requires to be escaped.
If you'll notice that some character that should be escaped for JS is not
escaped, then add it to the second parameter of "addcslashes" in
"js_escape_string" function (you should escape "<" and ">" chars if the
string is inside ", but you
do not have to escape those chars if the JavaScript code is in HTML
attribute value).

Re: Apostrophe issue

On Tue, 20 Sep 2005 12:39:21 +0200, Hilarion wrote:

>> onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"

I don't know what the switchit() function is doing, exactly, but does the
apostophe *need* to be there? Meaning, is the switchit() function ever
producing output that may be read by a human?

If not, then why not just strip out all apostrophes and double-quotes
before they get to the JavaScript part -- the JS parser won't care if it
says "Ginny's Wedding" or "Ginnys Wedding" -- as long as the naming is
consistent throuhgout the page.

This is the technique I usually adopt to avoid the type of problem you are
having.

For example, if the switchit() function uses the passed in string as an id
for, say, document.getElementById(), then just make sure the id of the
item also has the apostrophe stripped out. Just an example.

How to strip out? preg_replace() or str_replace() or similar.

later...

--
JDS | jeffrey@example.invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Re: Apostrophe issue

"JDS" wrote in message
news:pan.2005.09.20.13.54.06.511030@example.invalid...
> On Tue, 20 Sep 2005 12:39:21 +0200, Hilarion wrote:
>
>>> onMouseOver="switchit('Ginny's Wedding - Jun 11 2005');"
>
> I don't know what the switchit() function is doing, exactly, but does the
> apostophe *need* to be there? Meaning, is the switchit() function ever
> producing output that may be read by a human?
>
> If not, then why not just strip out all apostrophes and double-quotes
> before they get to the JavaScript part -- the JS parser won't care if it
> says "Ginny's Wedding" or "Ginnys Wedding" -- as long as the naming is
> consistent throuhgout the page.
>
> This is the technique I usually adopt to avoid the type of problem you are
> having.
>
> For example, if the switchit() function uses the passed in string as an id
> for, say, document.getElementById(), then just make sure the id of the
> item also has the apostrophe stripped out. Just an example.
>
> How to strip out? preg_replace() or str_replace() or similar.
>
> later...
>
> --
> JDS | jeffrey@example.invalid
> | http://www.newtnotes.com
> DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/
>

Yeah, switchit() is replacing text on screen with the text specified. I'm
using it to switch a caption box to the captions for each picture in an
array of thumbnails.


--
Shawn Wilson