Live PHP form builder!

Check out our super-easy form creator application right now in your browser!

take it for a spin »

handling quotes escape quote forms php validation processing generating

Handling quotes

As you may already know, there's a common problem with forms, databases and PHP: all of them have their special way of handling quotes. After all, it's not some terrific problem that couldn't be solved: it is only something you have to take care of:

• the root of the problem: to insert data in a database, quotes must be escaped: INSERT INTO books (title) VALUES ("John's book")
• otherwise we rarely need escaping quotes (no escaping needed for sending submitted form data in e-mail for example)
• PHP has a built-in feature called magic quotes (magic_quotes_gpc setting in php.ini). In earlier PHP versions it seemed to be a good idea to have every $_GET, $_POST and $_COOKIE data automatically escaped, so it was the factory default - that's why there was no need to use addslashes() before inserting data into a database. This concept has already led to unportable applications.
• Current PHP versions come with magic_quotes_gpc turned off - now you have to decide if you'd like to take care of the quotes.

Clonefish was built to provide a transparent form handling method, so you can even migrate your current code to clonefish, no matter if your magic_quotes_gpc is on or off. That's why you can control whether you're passing or want to receive escaped or unescaped data using the following methods and parameters:

• $cf->addElements( $config, $_POST, get_magic_quotes_gpc() )
• $cf->getElementValues( get_magic_quotes_gpc() )
• $cf->getValue( 'elementname', get_magic_quotes_gpc() )
• $element->getValue( get_magic_quotes_gpc() )
• $element->setValue( 'value', get_magic_quotes_gpc() )

Why are these extra parameters so useful? There's just one thing to remember: things are to be kept clear in clonefish. Whatever you give to clonefish, it needs to be 'flagged' whether it's already escaped or not: this way clonefish will know what to do, has to strip those unwanted slashes or not. This way clonefish will always contain unescaped values, which is the essence of this process.

When you use the get...() methods, you surely know what will you use those values for: if you use it for a database query, you will want to get it escaped; if your database abstraction layer automatically adds the slashes, you won't need them; and if you send an e-mail built from the values, you won't need them again. So feel free to use the parameters as they fit your needs. For detailed description, see the reference for the methods!

Note: the method calls above uses get_magic_quotes_gpc() everywhere. If you use the method calls this way, clonefish will be transparent, and will return values the very same way as PHP would: depending on the magic_quotes_gpc settings. It's very much advisable to use finetuned settings depending on your current needs instead! For example:

• $cf->addElements( $config, $_POST, get_magic_quotes_gpc() )
  (it's fine to use get_magic_quotes_gpc() as PHP knows very well how the $_POST array is escape)
• $cf->addElements( $config, $dbrow, false )
  (in case we've just selected a row from database (where the array values are unescaped) and we're passing the values to clonefish)
• $cf->getElementValues( true ) (if you need escaping)
• $cf->getElementValues( false ) (if you don't need escaping)

• The class
• Input types
• Validation types
• Features
  • Handling quotes
  • Multiple values in GET/POST: "variable[]"
  • Accessibility, usability

• View docs in a single page

form validation for developers!

clonefish is a proven, mature form generator class that helps PHP developers to create, validate and process secure, flexible and easy-to-maintain forms
learn more