“slash before every quote” problem

Question 1

I have a php page which contains a form.

Sometimes this page is submitted to itself (like when pics are uploaded).

I wouldn't want users to have to fill in every field again and again, so I use this as a value of a text-input inside the form:

value="<?php echo htmlentities(@$_POST['annonsera_headline'],ENT_COMPAT,'UTF-8');?>">

This works, except it adds a "" sign before every double-quote...

For instance writing 19" wheels gives after page is submitted to itself:

  19" wheels

And if I don't even use htmlentities then everything after the quotes dissappears.

What is the problem here?

UPDATE:

Okay, so the prob is magic_quotes... This is enabled on my server...

Should I disable it? I have root access and it is my server :)

Whats the harm in disabling it?

Question 2

Looks like you have magic quotes turned on. Use below condition using stripslashes with whatever text you want to process:

if(get_magic_quotes_gpc())
{
   $your_text = stripslashes($your_text);
}

Now you can process $your_text variable normally.

Update:

Magic quotes are exaplained here. For well written code there is normally no harm in disabling it.

Question 3

Calling session_regenerate_id() on every page may be a little bit of overkill, depending on your setup. The function is used to prevent session hijacking and should be used whenever a user elevates their level of privilege (such as logging in). Usually you would switch to a https connection once a user is logged in, meaning you only need to call session_regenerate_id() once as the new cookie would be tranmitted over a secure connection and wouldn't be able to be eavesdropped. However, if you don't have a SSL certificate on your server regenerating the session cookie on every page could be a good option.

When you call session_regenerate_id() you don't need to copy session data. This is all taken care of for you by PHP. Basically a new session token and cookie are created, session data is copied in the session store to be associated with the new token, and if you pass true as the single argument to the function the old session data file on disk is deleted.

What you store in the session to indicate if a user is logged in is up to you. I often just store a simple boolean value to indicate if they're logged in, along with other values holding usernames, name, etc. Then checking if someone is logged in is as simple as this:

<?php
    if ($_SESSION['logged_in']){
        //User logged in
    } else {
       //User not logged in
    }
?>

HTH.

Question 4

Aptana is a great choice for PHP,MySQL and Javascript.

As SpKET, Aptana supports a large no. of Javascript libraries from Prototype to ExtJs, I would like to mention JQuery especially, I am biased towards it. :) So you would get PHP + MySQL + Javascript together. Plus, Aptana supports Python (Pydev) as welll as Ruby On Rails (RadRails), in case you come across them in near future. Aptana is based on Eclipse and is Open Source.

But, Aptana does not provide WYSIWYG for HTML and CSS. Dreamweaver would be best for that, with all it's templates etc.

Question 5

It’s valid:

The path component may end with a slash (/).
The query component starts with the first question mark (?) in the URI.

Question 6

Edit: Update for Super CSV 2.1.0

Since Super CSV 2.1.0, you can now specify a QuoteMode via the preferences to enable quotes when they're normally not required. To quote every column, you can use the inbuilt AlwaysQuoteMode. If want to enable quotes for particular columns, use the ColumnQuoteMode. Please note that you can't disable quoting this way, you'd have to supply your own CsvEncoder to do that.

Thanks for bringing that forum post to my attention! Looks like Kasper didn't get around to implementing that feature. I'll see what I can do for the upcoming release :)

Instead of hacking the Super CSV source to add this 'quote everything' functionality, you could extend the Super CSV implementation in your own project . As you've mentioned, Super CSV only quotes the whole field if it contains special characters (quote, comma, etc) - it also does it if the field contains leading/trailing spaces.

With this in mind there's no reason you can't write your own Writer which overrides the escapeString() method (you just have to make sure it's not already quoted).

package org.supercsv.io;

import java.io.Writer;

import org.supercsv.prefs.CsvPreference;

public class QuoteAllCsvBeanWriter extends CsvBeanWriter {

    public QuoteAllCsvBeanWriter(Writer writer, CsvPreference preference) {
        super(writer, preference);
    }

    @Override
    protected String escapeString(String csvElement) {

        // perform normal escaping
        final String escaped = super.escapeString(csvElement);

        // add surrounding quotes if required
        final String quote = String.valueOf((char) preference.getQuoteChar());
        if (escaped.startsWith(quote) && escaped.endsWith(quote)){
            return escaped;
        } else {
            return quote + escaped + quote;
        }
    }

}

“slash before every quote” problem

Answers

php,mysql,html,security