phpmysqlstripslashesaddslashes

Escaping quotes in PHP from MySQL result (PDO)


The string to display comes from a MySQL table. I use PDO queries. The string contains double quotes:

Older spelling (from French). The modernized "petty larceny" is now preferred.

This is a definition of a dictionary entry that is displayed if available:

$search_results .= (!empty($english_definition)? "<a class=\"definition\" href=\"#\" data-toggle=\"popover\" rel=\"popover\"
data-content=\"".$english_definition."\">".$english."*</a>" : $english);

Because of the quotes, the definition is cut to after the word "modernized".

I tried using addslashes() but the result is that a single slash is displayed, and nothing after it.

I also tried adding slashes inside the table field, e.g.

Older spelling (from French). The modernized \"petty larceny\" is now preferred.

Without stripslashes() in the PHP code, only the first backward slash is displayed and nothing after it.

When I add stripslashes(), nothing is displayed after the word "modernized".

So, this is where I am stuck.

ADDITIONAL CODE: This is how I insert new terms and definitions. I have added htmlspecialchars() for input where quotes could exist:

        if(isset($_POST['submit'])) {

        $english                = htmlspecialchars($_POST['english']);
        $english_abbr           = $_POST['english_abbr'];
        $variant                = $_POST['variant'];
        $bulgarian              = htmlspecialchars($_POST['bulgarian']);
        $bulgarian_abbr         = $_POST['bulgarian_abbr'];
        $theme_id               = $_POST['theme_id'];
        $english_definition     = htmlspecialchars($_POST['english_definition']);
        $bulgarian_definition   = htmlspecialchars($_POST['bulgarian_definition']);

        // Check if an entry already exists
        $exists = $db->prepare("SELECT * FROM ".DICTIONARY_TABLE." WHERE english = :english AND theme_id = :theme_id ");
        $exists->execute(array(':english' => $english, ':theme_id' => $theme_id));
        $count = $exists->rowCount();
        if($count > 0) {
            echo "<h3 style=\"color:navy; background:transparent;\">&#8658; An entry in the same theme already exists.</h3>";
        }
        else {
            $insert = $db->prepare("INSERT INTO ".DICTIONARY_TABLE." 
                                    (english, english_abbr, variant, bulgarian, bulgarian_abbr, theme_id)
                                    VALUES
                                    (:english, :english_abbr, :variant, :bulgarian, :bulgarian_abbr, :theme_id)");
            $insert->execute(array(':english'           => $english, 
                                    ':english_abbr'     => $english_abbr,
                                    ':variant'          => $variant,
                                    ':bulgarian'        => $bulgarian,
                                    ':bulgarian_abbr'   => $bulgarian_abbr,
                                    ':theme_id'         => $theme_id));

            if($insert) {
                echo "<h4 style=\"color:green; background:transparent;\">&#8658; Term \"$english\" inserted successfully.</h4>";

                if(!empty($english_definition) || !empty($bulgarian_definition)) {      
                    $insert_id = $db->lastInsertId();
                    $insert_def = $db->prepare(
                            "INSERT INTO ".DICTIONARY_DEFINITIONS." 
                            (term_id, english_definition, bulgarian_definition)
                            VALUES
                            (:term_id, :english_definition, :bulgarian_definition)");
                    $insert_def->execute(array(
                            ':term_id' => $insert_id, 
                            ':english_definition'   => $english_definition,
                            ':bulgarian_definition' => $bulgarian_definition));

                    if($insert_def) {
                        echo "<h4 style=\"color:green; background:transparent;\">&#8658; Definition(s) inserted successfully.</h4>";
                    }
                    else {
                        echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem inserting the definition(s)!</h4>";
                    }
                }

                unset($_POST); $_POST = array();
            }
            else { 
                echo "<h4 style=\"color:red; background:transparent;\">&#8658; There was a problem executing the query: </h4>";
            }
        }
        include("insert_form.php");
    }
    else {
        include("insert_form.php");
    }

Solution

  • use htmlspecialchars() function when you save it to the database, and htmlspecialchars_decode() function when you want to echo it again.

    Link to htmlspecialchars() function

    Link to htmlspecialchars_decode() function