OK I am trying to add a search function to Lazarus. Al is working fine except where single quotes are concerned. At present it accepts both POST and GET data with POST coming last. Anyway if you submit a ' via POST all is fine. I then pass the search string to urlencode before adding it to the end of pagination links. That works fine with ' becoming %27. I decode when I turn the GET into a standard variable and thats fine as it becomes \'. I strip slashes if needed then pass to htmlspcialchars. It keeps converting the ' into & #039 even with ENT_COMPAT set which according to php.net<br /><!--quoteo--><div class='quotetop'>QUOTE</div><div class='quotemain'><!--quotec-->The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated.<!--QuoteEnd--></div><!--QuoteEEnd--><br />Apart from that my search function is fine so any ideas or am I going to have to use a hack fix and convert ' to & #039 myself in the code.<br /><br />BTW this damn forum is stupid. It converts & #039 into ' but leaves & alone.<!--content-->
Based on my testing, using htmlspecialchars() with any of the quote style constants (or none of them) works as described in the PHP documentation. I wrote the following script and tested it on my server:<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1--><?php<br />header('Content-Type: text/plain');<br />echo 'ENT_COMPAT = ' . ENT_COMPAT . "\n";<br />echo 'ENT_QUOTES = ' . ENT_QUOTES . "\n";<br />echo 'ENT_NOQUOTES = ' . ENT_NOQUOTES . "\n";<br />echo "\n";<br />$text = 'one \' two " three &';<br />echo "Encoding special characters in string [$text]:\n";<br />echo 'DEFAULT: ' . htmlspecialchars($text) . "\n";<br />echo 'ENT_COMPAT: ' . htmlspecialchars($text, ENT_COMPAT) . "\n";<br />echo 'ENT_QUOTES: ' . htmlspecialchars($text, ENT_QUOTES) . "\n";<br />echo 'ENT_NOQUOTES: ' . htmlspecialchars($text, ENT_NOQUOTES) . "\n";<br />?><!--c2--></div><!--ec2--><br />The script displays the following results:<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->ENT_COMPAT = 2<br />ENT_QUOTES = 3<br />ENT_NOQUOTES = 0<br /><br />Encoding special characters in string [one ' two " three &]:<br />DEFAULT: one ' two " three &<br />ENT_COMPAT: one ' two " three &<br />ENT_QUOTES: one ' two " three &<br />ENT_NOQUOTES: one ' two " three &<!--c2--></div><!--ec2--><br />Each of the quote style constants is being properly evaluated by PHP, and when used in htmlspecialchars(), each quote style constant is encoding the correct characters.<br /><br />It's hard to say what's going on without seeing the code and/or a concrete example, but it doesn't look like it's due to htmlspecialchars() not handling ENT_COMPAT correctly. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/huh.gif" style="vertical-align:middle" emoid=":huh:" border="0" alt="huh.gif" /><!--content-->
No after some more testing the bug is errr bizarre. I now have both POST and GET to work exactly the same. Slashed are stripped, it's passed to htmlspecialchars etc. But for some reason the ' from a GET request is converted but not from a POST request. Here are the code snippets. First one is getting the variables from the requests.<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$gb->searchfield = (isset($_GET['searchfield'])) ? $_GET['searchfield'] : '';<br />Â Â $gb->searchtext = (isset($_GET['searchtext'])) ? urldecode($_GET['searchtext']) : '';<br />Â Â $gb->searchfield = (isset($_POST['searchfield'])) ? $_POST['searchfield'] : $gb->searchfield;<br />Â Â $gb->searchtext = (isset($_POST['searchtext'])) ? urldecode($_POST['searchtext']) : $gb->searchtext;<!--c2--></div><!--ec2--><br /><br />Here is where I handle it.<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if (get_magic_quotes_gpc())<br />{<br />$this->searchtext = stripslashes($this->searchtext);<br />}<br />$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT);<br />$this->searchquery = ' AND '.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';<br />$this->searchquery2 = ' AND x.'.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';<br />$this->searchtext = urlencode($this->db->undo_htmlspecialchars($this->searchtext));<br />$this->postsearch = '<input type="hidden" name="searchfield" value="'.$this->searchfield.'"><br /><input type="hidden" name="searchtext" value="'.$this->searchtext.'">';<br />$this->getsearch = '&searchfield='.$this->searchfield.'&searchtext='.$this->searchtext;<!--c2--></div><!--ec2--><br /><br />I did some testing by having it echo the searchtext at various points and it's definately after<br />$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT)<br />that the ' is getting cinverted.<!--content-->
Based on my testing, using htmlspecialchars() with any of the quote style constants (or none of them) works as described in the PHP documentation. I wrote the following script and tested it on my server:<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1--><?php<br />header('Content-Type: text/plain');<br />echo 'ENT_COMPAT = ' . ENT_COMPAT . "\n";<br />echo 'ENT_QUOTES = ' . ENT_QUOTES . "\n";<br />echo 'ENT_NOQUOTES = ' . ENT_NOQUOTES . "\n";<br />echo "\n";<br />$text = 'one \' two " three &';<br />echo "Encoding special characters in string [$text]:\n";<br />echo 'DEFAULT: ' . htmlspecialchars($text) . "\n";<br />echo 'ENT_COMPAT: ' . htmlspecialchars($text, ENT_COMPAT) . "\n";<br />echo 'ENT_QUOTES: ' . htmlspecialchars($text, ENT_QUOTES) . "\n";<br />echo 'ENT_NOQUOTES: ' . htmlspecialchars($text, ENT_NOQUOTES) . "\n";<br />?><!--c2--></div><!--ec2--><br />The script displays the following results:<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->ENT_COMPAT = 2<br />ENT_QUOTES = 3<br />ENT_NOQUOTES = 0<br /><br />Encoding special characters in string [one ' two " three &]:<br />DEFAULT: one ' two " three &<br />ENT_COMPAT: one ' two " three &<br />ENT_QUOTES: one ' two " three &<br />ENT_NOQUOTES: one ' two " three &<!--c2--></div><!--ec2--><br />Each of the quote style constants is being properly evaluated by PHP, and when used in htmlspecialchars(), each quote style constant is encoding the correct characters.<br /><br />It's hard to say what's going on without seeing the code and/or a concrete example, but it doesn't look like it's due to htmlspecialchars() not handling ENT_COMPAT correctly. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/huh.gif" style="vertical-align:middle" emoid=":huh:" border="0" alt="huh.gif" /><!--content-->
No after some more testing the bug is errr bizarre. I now have both POST and GET to work exactly the same. Slashed are stripped, it's passed to htmlspecialchars etc. But for some reason the ' from a GET request is converted but not from a POST request. Here are the code snippets. First one is getting the variables from the requests.<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->$gb->searchfield = (isset($_GET['searchfield'])) ? $_GET['searchfield'] : '';<br />Â Â $gb->searchtext = (isset($_GET['searchtext'])) ? urldecode($_GET['searchtext']) : '';<br />Â Â $gb->searchfield = (isset($_POST['searchfield'])) ? $_POST['searchfield'] : $gb->searchfield;<br />Â Â $gb->searchtext = (isset($_POST['searchtext'])) ? urldecode($_POST['searchtext']) : $gb->searchtext;<!--c2--></div><!--ec2--><br /><br />Here is where I handle it.<br /><!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->if (get_magic_quotes_gpc())<br />{<br />$this->searchtext = stripslashes($this->searchtext);<br />}<br />$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT);<br />$this->searchquery = ' AND '.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';<br />$this->searchquery2 = ' AND x.'.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';<br />$this->searchtext = urlencode($this->db->undo_htmlspecialchars($this->searchtext));<br />$this->postsearch = '<input type="hidden" name="searchfield" value="'.$this->searchfield.'"><br /><input type="hidden" name="searchtext" value="'.$this->searchtext.'">';<br />$this->getsearch = '&searchfield='.$this->searchfield.'&searchtext='.$this->searchtext;<!--c2--></div><!--ec2--><br /><br />I did some testing by having it echo the searchtext at various points and it's definately after<br />$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT)<br />that the ' is getting cinverted.<!--content-->