Jump to content
Larry Ullman's Book Forums

Recommended Posts

I am using PHP 5.3 and Mysql 5.1. I am trying to use the results of a query in a form, so that they can be edited by the user if needed. My problem is that only the first word in each field is being displayed in the input field, rather than all the words in the field.

My testing code is:

 

<h2>Legal Form Data Update -1st option</h2>

 

 

<form action="??????.php" method="post">

<p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $row['mycustomer']; ?>"/></p>

<p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $row['matls1']; ?>"/></p>

<br />

<p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $_SESSION['mycustomer']; ?>"/></p>

<p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $_SESSION['mat1']; ?>"/></p>

<br />

<p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $mycus; ?>"/></p>

<p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $matls1; ?>"/></p>

<br />

<p><input type="submit" name="submit" value="SUBMIT" /></p>

<input type="hidden" name="submitted" value="TRUE" />

</form>

 

I am trying three different methods to echo the results. All three return the same results as shown next, but not the complete data :

 

Legal Form Data Update -1st option

 

Customer: CONCRETE

 

Materials: READY

 

Customer: CONCRETE

 

Materials: READY

 

Customer: CONCRETE

 

Materials: READY

 

This is what should be displayed:

Materials: READY MIX CONCRETE

Customer: CONCRETE FOR ALL

 

Mahalo for any help you can give me.

dickm

Link to comment
Share on other sites

I think your problem is that you are missing quotes around the form element value attributes. Since the values you are reading in from the database contain spaces, only the first word is recognized as the value, and the other words are being interpreted as invalid element attributes and your browser is ignoring them. Try placing quotes around the value attributes, like so:

<p>Customer: <input type="text" name="mycustomer" size="35"  value="<?php echo $row['mycustomer']; ?>"/></p>
                                       	Missing quote here ^

You are also using the same name for elements (mycustomer 3 times, and matls1 3 times). You should make all the names unique for text fields. This isn't the cause of your problem (the quotes issue is), but if you want to do something with the values you'll need to change the names or you will only get the last mycustomer and matls1 values.

  • Upvote 1
Link to comment
Share on other sites

Is that your full code?

 

Or do you have any more inside that page (or fed from another page)?

This is just the display part of the code. Not showing is the mysql query of the database and the creation of $_Session variable. Also the three are just attempts with minor code changes. Only one Customer line would be used and only one materials line in the real live code

 

dickm

Link to comment
Share on other sites

I think your problem is that you are missing quotes around the form element value attributes. Since the values you are reading in from the database contain spaces, only the first word is recognized as the value, and the other words are being interpreted as invalid element attributes and your browser is ignoring them. Try placing quotes around the value attributes, like so:

<p>Customer: <input type="text" name="mycustomer" size="35"  value="<?php echo $row['mycustomer']; ?>"/></p>
                                       	Missing quote here ^

You are also using the same name for elements (mycustomer 3 times, and matls1 3 times). You should make all the names unique for text fields. This isn't the cause of your problem (the quotes issue is), but if you want to do something with the values you'll need to change the names or you will only get the last mycustomer and matls1 values.

 

 

Thanks Paul,

That change made the mycustomer field return the correct value, but still a problem with the materials line. That data value is contained within "" inside the field. i.e. "Ready Mix Concrete", so after added the quote, I am now getting a blank return (no value).

 

dickm

Link to comment
Share on other sites

Thanks to everyone for their help as it solved my problem with the missing quote addition. However, I then found another problem and that was the data. It seems the practice by the company is to enclose some data in "" the double quote such as "MY NAME" and therefore I was losing data, so I made the following change to the code and all is now working correctly.

 

The original section of problem code was ..........value="<?php echo $row['mycustomer']; ?>". So because of the " in some of the data fields, I changed the code to ........

...................................................value='<?php echo $row['mycustomer']; ?>', using the single quote instead of the double quote.

 

Mahalo to all

 

dickm

Link to comment
Share on other sites

Thanks for letting us know, but this isn't actually a fix. What if there's a single quote in a value? Then you'd have the same problem. And technically, I believe HTML attributes are supposed to use double quotation marks. A better, reliable solution would be to apply htmlentities() to the data before you print it.

Link to comment
Share on other sites

It sounds like when data is being inserted into your database, it isn't being escaped first. Escaping data before inserting into a database makes your SQL more secure because it can prevent SQL injection attacks (when a malicious user enters SQL commands into your form fields). If your site is on an intranet, it might not be much of a risk, but if this is a publicly accessible site you really should escape the data.

 

See page 254 in Chapter 7 - "Ensuring Secure SQL" for a discussion on this topic, as well as a function which will do the escaping for you. An even better escape_data function is listed in script 13.4 on page 538. By escaping the data, the escape character (\ = backslash) is inserted in front of certain characters, including both single and double quotes. When printing the data retrieved from the database, you'll need to use the stripslashes() function to remove the slashes and get the output you want to display.

 

The quotes in the database were causing you problems because when you echo it out it would look like:

value=""My Customer Name""

So your browser would see value="" plus some extra invalid attribute names of My, and Customer, and a second occurrence of a valid attribute: name. I recommend that you also make use of htmlspecialchars() before echoing to convert single and double quotes (among other characters) to HTML entities. With your current code, you're going to run into the same problem if some spells Hawaii Hawai'i, or their last name is O'Reilly.

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...