I have a php code as shown below in which I want to concatenate strings in php coming from the database table.
$record['INFO']['PATH_FILE'] = A:\RW\YVR;
$record['INFO']['FILE_NAME'] = abc.doc;
On concatenation, I want the string to look like this A:\RW\16may05\abc.doc (I want to open/download a file on the click as its href)
This is what I have tried:
echo ' <td rowspan="'.$hello_world.'"><a href="'.$record['INFO']['PATH_FILE'].'"\"'.$record['INFO']['FILE_NAME'].'">'."\n"; // Line A
On inspect, I am seeing in the following format:
"A:\RW\YVR\abc.doc" \""=""
Problem Statement:
I am wondering what changes I need to make at Line A so that I see in the following format "A:\RW\YVR\abc.doc" or in the format in which users can open or download.
The backslash will escape the next character, so you need to escape the backslash by using 2 backslashes
echo '<td rowspan="'.$hello_world.'"><a href="'.$record['INFO']['PATH_FILE'].'\\'.$record['INFO']['FILE_NAME'].'">'."\n"; // Line A
Related
The following text link works fine when I place it directly in my html:
Click here to <?php echo $showOrHideText; ?> the suggested sequence of lessons.
But I want to replace it with:
<?php echo $gradeNote; ?>
Elsewhere $gradeNote is assigned a string based on the grade of the student user. My question after many hours of searching and failing is how can I pass this snippet as a literal string, without PHP attempting to parse it and giving me a junk url? What am I doing wrong here:
$gradeNote = "Click here to <?php echo $showOrHideText; ?> the suggested sequence of lessons.";
You're running <?php and ?> tags inside of a PHP variable. As you're already dealing with PHP, these are unnecessary.
Although the quotation marks "" allow you to echo out evaluated variables, because you're also running a condition in this 'string', you'll want to extrapolate that out and simply store the result as a variable. I've called mine $show.
As such, you're simply looking for:
if($slcustom29 == 0) {
$show = 1;
}
else {
$show = 0;
}
$gradeNote = "Click here to $showOrHideText the suggested sequence of lessons.";
Remember to either escape the double-quotes in the <a href="">, or swap them for single-quotes.
This can be seen working here.
Hope this helps!
Try something like this.
$s = ($slcustom29 == 0) ? 1 : 0;
$gradeNote = "Click here to {$showOrHideText} the suggested sequence of lessons.";
Any string with double quotes "" can have a variable embedded, the {} are not necessary, but i always use them for cases like this where you are trying to embed a variable with no spaces around it, "$xabc" which will return a different result "{$x}ab"
the probelm is that you are trying to put php logic into the string. Notice you have an IF command within the string literal. start with a small or empty string, and concat onto it piece by piece, as opposed to doing it in one line.
then you can echo out the single variable link
I have a MySQL table that contains names and e-mail addresses. The data was originally imported from a .csv file, and it did not originally contain complete e-mail addresses. We had to append the #place.domain to the user's alias.
When the data is sitting in the MySQL table, it looks normal: person#place.domain; however, when I output the content in PHP, I get this: person #place.domain. There's always a space between the person and the #. It doesn't look like that in the MySQL column, nor does it look like that when I copy/paste the data into Notepad, Word, Excel, etc. Furthermore, if I erase the data in the column and manually replace it with person#place.domain, it displays normally in my PHP app. So I'm guessing there's some hidden character that PHP is picking up that I can't detect. Is there a way for me to clean this up? I've tried TRIM(), REPLACE,(), etc., all to no avail.
UPDATE: I've discovered that, when I click in the MySQL field and move among the characters using my arrow keys, I have to hit the arrow key TWICE to move past the # symbol, yet there is no visible space.
I made this sample code for you:
<?php
$test = "user #mail.com";
$aux = explode("#",$test);
$mailok = trim($aux[0])."#".trim($aux[1]);
echo $test." vs ".$mailok;
?>
This is likely something like non-breaking space (ascii 160). To get rid of it:
UPDATE my_table SET e_mail = REPLACE(e_mail, CHAR(160), '');
Try with a foreach cycle, and do the chr($char) function to every character in the string, it will display you the ascii code of each character in the string, and you will find the wrong character. It's the only solution I found. Hope to be useful
I am trying to save the contents of a textarea into a mysql database, then echo the contents on the page at a later time.
Here is what Im doing:
In the textarea, I literally type:
Hello
How's life?
To store it in mysql, I am using:
$textarea = mysql_real_escape_string($_POST['textarea']);
In mysql, it looks like:
Hello\r\n\r\nHow\\\'s life?
To echo onto the page, I am using:
echo nl2br($textarea);
But, it is still echoing out exactly as it is shown in mysql. How do I remove the extra \'s from the output and also display the contents on the proper line?
Thanks
Try using:
echo preg_replace('/[\s]+/', ' ', stripslashes($textarea));
stripslashses returns a string with backslashes stripped off.
I wrote a php script that pulls some data from a database and displays it in XML format. For some reason it halts output when it gets to an apostrophe in the data. This is a SELECT statement, and a simple one at that, so I don't understand why there are any issues with apostrophes or quotation marks. I've tried using addslashes() and mysql_real_escape_string(), even though my understanding is that those are for sanitizing data being inserted into the database, and it did not help. I'm stumped. Below is the code and thanks in advance for any advice!
<? if($result = $mysqli->query("SELECT * FROM ".$tbl)){
while($row = $result->fetch_object()){ ?>
<slide>
<id><?= $row->id ?></id>
<title><?= $row->title ?></title>
<chatter><?= $row->description ?></chatter>
<image><?= $row->path ?></image>
<link><?= $row->href ?></link>
<active><?= $row->active ?></active>
</slide>
<? }
}else{
echo $mysqli->error;
}
EDIT:
It turns out I have misunderstood the problem. They are not apostrophes but instead are right single quotes. If I change them to actual apostrophes the script works but I still don't understand why it doesn't simply output them though.
Try with str_replace("'", "\'", $field_to_be_replaced);
You can replace the ' char with a blank space if you prefer, just for testing.
Are you sure it halts on the output of the data, and not when the data is processed? Apostrophe's have special meaning in XML, so if they are included in your XML data you have to replace them with an entity reference. There are 5 predefined entity references in XML, for less than, greater than, ampersand, apostrophe, and one for quotation mark. Alternatively, you can mark the text as CDATA so that the XML parser doesn't try to parse it.
Try making your program output the XML data to a text file instead of to wherever it is going now. Does it still halt on the apostrophe? If not, then it's definitely because of a problem parsing the data. If your program still halts on the apostrophe even when outputting the data only to a text file, there may be a problem somewhere else in the program where that data is processed. Check all the references to the variable containing the data, and see if you can find the exact line the program breaks on.
the apostrophe (') is an invalid character for XML!
You must call $safe_string = str_replace("'","'",$string) in all your fields before
outputting the .XML file.
Check here to learn about these characters and build a more complete str_replace
EDIT:
What im using:
// save ubercart products in XML
function replace_characters_for_xml($str) {
return str_replace(
array("&",">","<","'",'"'),
array("&",">","<","'","""),$str
);
}
...
$row->title = replace_character_for_xml($row->title);
$row->href = replace_character_for_xml($row->href);
...
From a form, I'm asking the user to enter some text. I will retrieve this text using $_POST['text'].
The user enters the string "It's my text!"
$newText = mysql_real_escape_string($_POST['text']);
Now on the very same page after I've inserted $newText into the database I want to display
the text to the user and also use it as the value of an input text box using PHP.
// I want to make sure the user hasn't added any unsafe html in their string
$newText = htmlentities($newText);
echo "You've entered: " . $newText . "<br />";
echo "<form action=someaction.php method=post>";
echo "<input type=text value=\"" . $newText . "\">";
echo "</form>";
The output is:
You've entered: It\'s my text!
[It\'s my text!]
How do I avoid these slashes, and should I be doing anything else with my data?
You're passing the text through mysql_real_escape_string() which, as the name suggests, escapes the string, including apostrophes. mysql_real_escape_string() is meant only for preparing the data for saving to database. You shouldn't use it when displaying data to the user.
So, the solution is simple: remove the line and use htmlentities() only. Use mysql_real_escape_string() when you're saving the string to database (and only then).
Only use mysql_real_escape_string() on the variable you want to use in the query, because it will add slashes to escape some of the characters in the string. This works great for mysql, but when want to use it on the page it will look weird.
You could make 2 variables, 1 for MySQL and 1 for displaying the raw text.
$text = $_POST['text'];
$db_text = mysql_real_escape($text);
Also note that you should use strip_slashes() on the data you get from the database later, to remove the slashes.
Hope this clear things up a little bit.
Now on the very same page after I've inserted $newText into the database I want to display the text to the user
That's what you are doing wrong.
An HTTP standard require a GET method redirect after every successful POST request.
So, you have to redirect the user on the same page, where you may read inserted data from the database and show it to the user.
As for the mistake you made - just move escaping somewhere closer to the database operations, to make sure it is used only for the purpose (YET it is used obligatory, without the risk of forgetting it!).
Ideally you have to use some variables to represent the data in the query, and some handler to process them.
So, the query call may look like
DB::run("UPDATE table SET text=s:text",$_POST['text']);
where s:text is such a variable (called placeholder), which will be substituted with the $_POST['text'] value, properly prepared according to the type set in the placeholder name (s means "string", tells your function to escape and quote the data)
So, all the necessary preparations will be done inside and will spoil no source variable.
save normally using mysql_real_escape_string()
and when you want to display it in a form:
htmlspecialchars(stripslashes($row['text_data']))
it will do the trick.