Topic: Single and double quote in Item Description
Items like "Pipe 15 ft long" in the Item description displays fine. But if the abbreviation of feet as as an apostrophe / single quote is used, then it gets entered into the table as ' instead.
Hence the Item: "Pipe 15' long" now becomes "Pipe 15' long"
This is due to the way function db_escape() is programmed in includes/db/connect_db.inc.
function db_escape($value = "", $nullify = false)
{
$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
$value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding);
//reset default if second parameter is skipped
$nullify = ($nullify === null) ? (false) : ($nullify);
//check for null/unset/empty strings
if ((!isset($value)) || (is_null($value)) || ($value === "")) {
$value = ($nullify) ? ("NULL") : ("''");
} else {
if (is_string($value)) {
//value is a string and should be quoted; determine best method based on available extensions
if (function_exists('mysql_real_escape_string')) {
$value = "'" . mysql_real_escape_string($value) . "'";
} else {
$value = "'" . mysql_escape_string($value) . "'";
}
} else if (!is_numeric($value)) {
//value is not a string nor numeric
display_error("ERROR: incorrect data type send to sql query");
echo '<br><br>';
exit();
}
}
return $value;
}MySQL now has an builtin QUOTE() function that can now dispense with quoting / cleaning up any string to be entered through SQL directly.
The use of htmlspecialchars() is dictated by certain PHP environment settings:
' " ' (double quote) becomes '"' when ENT_NOQUOTES is not set.
" ' " (single quote) becomes ''' only when ENT_QUOTES is set.