dickm Posted April 14, 2011 Share Posted April 14, 2011 I am using PHP 5.3 and Mysql 5.1. I am trying to use the results of a query in a form, so that they can be edited by the user if needed. My problem is that only the first word in each field is being displayed in the input field, rather than all the words in the field. My testing code is: <h2>Legal Form Data Update -1st option</h2> <form action="??????.php" method="post"> <p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $row['mycustomer']; ?>"/></p> <p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $row['matls1']; ?>"/></p> <br /> <p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $_SESSION['mycustomer']; ?>"/></p> <p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $_SESSION['mat1']; ?>"/></p> <br /> <p>Customer: <input type="text" name="mycustomer" size="35" value=<?php echo $mycus; ?>"/></p> <p>Materials: <input type="text" name="matls1" size="35" value=<?php echo $matls1; ?>"/></p> <br /> <p><input type="submit" name="submit" value="SUBMIT" /></p> <input type="hidden" name="submitted" value="TRUE" /> </form> I am trying three different methods to echo the results. All three return the same results as shown next, but not the complete data : Legal Form Data Update -1st option Customer: CONCRETE Materials: READY Customer: CONCRETE Materials: READY Customer: CONCRETE Materials: READY This is what should be displayed: Materials: READY MIX CONCRETE Customer: CONCRETE FOR ALL Mahalo for any help you can give me. dickm Link to comment Share on other sites More sharing options...
Jonathon Posted April 14, 2011 Share Posted April 14, 2011 Is that your full code? Or do you have any more inside that page (or fed from another page)? 1 Link to comment Share on other sites More sharing options...
Paul Swanson Posted April 14, 2011 Share Posted April 14, 2011 I think your problem is that you are missing quotes around the form element value attributes. Since the values you are reading in from the database contain spaces, only the first word is recognized as the value, and the other words are being interpreted as invalid element attributes and your browser is ignoring them. Try placing quotes around the value attributes, like so: <p>Customer: <input type="text" name="mycustomer" size="35" value="<?php echo $row['mycustomer']; ?>"/></p> Missing quote here ^ You are also using the same name for elements (mycustomer 3 times, and matls1 3 times). You should make all the names unique for text fields. This isn't the cause of your problem (the quotes issue is), but if you want to do something with the values you'll need to change the names or you will only get the last mycustomer and matls1 values. 1 Link to comment Share on other sites More sharing options...
dickm Posted April 15, 2011 Author Share Posted April 15, 2011 Is that your full code? Or do you have any more inside that page (or fed from another page)? This is just the display part of the code. Not showing is the mysql query of the database and the creation of $_Session variable. Also the three are just attempts with minor code changes. Only one Customer line would be used and only one materials line in the real live code dickm Link to comment Share on other sites More sharing options...
dickm Posted April 15, 2011 Author Share Posted April 15, 2011 I think your problem is that you are missing quotes around the form element value attributes. Since the values you are reading in from the database contain spaces, only the first word is recognized as the value, and the other words are being interpreted as invalid element attributes and your browser is ignoring them. Try placing quotes around the value attributes, like so: <p>Customer: <input type="text" name="mycustomer" size="35" value="<?php echo $row['mycustomer']; ?>"/></p> Missing quote here ^ You are also using the same name for elements (mycustomer 3 times, and matls1 3 times). You should make all the names unique for text fields. This isn't the cause of your problem (the quotes issue is), but if you want to do something with the values you'll need to change the names or you will only get the last mycustomer and matls1 values. Thanks Paul, That change made the mycustomer field return the correct value, but still a problem with the materials line. That data value is contained within "" inside the field. i.e. "Ready Mix Concrete", so after added the quote, I am now getting a blank return (no value). dickm Link to comment Share on other sites More sharing options...
Larry Posted April 15, 2011 Share Posted April 15, 2011 Okay, so post the code you're using now, after making those changes. Link to comment Share on other sites More sharing options...
dickm Posted April 20, 2011 Author Share Posted April 20, 2011 Thanks to everyone for their help as it solved my problem with the missing quote addition. However, I then found another problem and that was the data. It seems the practice by the company is to enclose some data in "" the double quote such as "MY NAME" and therefore I was losing data, so I made the following change to the code and all is now working correctly. The original section of problem code was ..........value="<?php echo $row['mycustomer']; ?>". So because of the " in some of the data fields, I changed the code to ........ ...................................................value='<?php echo $row['mycustomer']; ?>', using the single quote instead of the double quote. Mahalo to all dickm Link to comment Share on other sites More sharing options...
Larry Posted April 20, 2011 Share Posted April 20, 2011 Thanks for letting us know, but this isn't actually a fix. What if there's a single quote in a value? Then you'd have the same problem. And technically, I believe HTML attributes are supposed to use double quotation marks. A better, reliable solution would be to apply htmlentities() to the data before you print it. Link to comment Share on other sites More sharing options...
Paul Swanson Posted April 20, 2011 Share Posted April 20, 2011 It sounds like when data is being inserted into your database, it isn't being escaped first. Escaping data before inserting into a database makes your SQL more secure because it can prevent SQL injection attacks (when a malicious user enters SQL commands into your form fields). If your site is on an intranet, it might not be much of a risk, but if this is a publicly accessible site you really should escape the data. See page 254 in Chapter 7 - "Ensuring Secure SQL" for a discussion on this topic, as well as a function which will do the escaping for you. An even better escape_data function is listed in script 13.4 on page 538. By escaping the data, the escape character (\ = backslash) is inserted in front of certain characters, including both single and double quotes. When printing the data retrieved from the database, you'll need to use the stripslashes() function to remove the slashes and get the output you want to display. The quotes in the database were causing you problems because when you echo it out it would look like: value=""My Customer Name"" So your browser would see value="" plus some extra invalid attribute names of My, and Customer, and a second occurrence of a valid attribute: name. I recommend that you also make use of htmlspecialchars() before echoing to convert single and double quotes (among other characters) to HTML entities. With your current code, you're going to run into the same problem if some spells Hawaii Hawai'i, or their last name is O'Reilly. 1 Link to comment Share on other sites More sharing options...
dickm Posted April 21, 2011 Author Share Posted April 21, 2011 Mahalo to Larry and Paul for your input. I will return to the coding and make the changes as you have suggested. I like the long term solution, rather than the quick fix that I applied. dickm Link to comment Share on other sites More sharing options...
Recommended Posts