Single quotes and addslashes in php forms (option value escaping on space?)

Question

I cannot get my addslashes function and html option value to play nice together. My initial problem was the single quote in the option but by solving that I seem to have created another issue whereby $titleunit_name only comes through with the first word.

This is what I want to come out:

baroffice=O'Fallon & Highway K&N

titleunit_name=O'Fallon & Highway K&N

cleantitleunit_name=O\'Fallon & Highway K&N

This is what I get:

baroffice=O'Fallon

titleunit_name=O'Fallon & Highway K&N

cleantitleunit_name=O\'Fallon & Highway K&N

I don't know if it matters but the values are normally coming from and being sent back to ms sql.

<form method="post" action="formtest.php?" id="searchform" target="" autocomplete="off">


<div id="office">

<font style="font-size:12px; font-weight:bold;" color="#002EB8" face="Verdana">
Closing Office:</font>

<select name="baroffice" style="width:90px">
<?php
$titleunit_name= "O'Fallon & Highway K&N";
$cleantitleunit_name=addslashes("$titleunit_name");

echo "<option value=$cleantitleunit_name name= '$titleunit_name'>"; 
echo "$titleunit_name</option>";

?>
</select></div><br>
<br><Br>
<input type="submit" name="submit" value="submit" style="position:relative;z-index:3">
<br><Br>
</form>

<?php
$baroffice = str_replace("\'","'",($_POST['baroffice']));

if (isset($_POST['submit']))
{

echo "baroffice=$baroffice<br>";
echo "titleunit_name=$titleunit_name<br>";
echo "cleantitleunit_name=$cleantitleunit_name<br>";


}
else
{echo "";
};

?>

Thanks for any help in advance.

Answer 1

First of all, you don't need double quotes around variables. Just $titleunit_name is correct, not "$titleunit_name".

Second, never use addslashes. If you're escaping content to go into MySQL use the more robust mysql_real_escape_string function. addslashes misses cases and leaves your script every bit as open to attack as if you hadn't used it at all.

And finally, slashes do not belong in HTML output. You're looking for the htmlspecialchars function, which prepares a string to be written into an HTML document.

echo '<option value="' . htmlspecialchars($titleunit_name) . '" name="' . htmlspecialchars($titleunit_name) . '">' . htmlspecialchars($titleunit_name) . '</option>';

Note that all uses of $titleunit_name (or any other variable) must be escaped in this way before writing them out to the page.

Now, I'm guessing from context that you have "magic quotes" turned out, so PHP is automatically performing an addslashes on incoming POST data. If so, turn off magic quotes, and when it's time to insert a string into the database perform the appropriate escaping then. If this is not possible, then use stripslashes to strip the slashes from all POSTed data at the beginning of the script execution so that you're getting the data as submitted.