My PHP string has < in its value which is omitting the characters after it, How should I do that
<?php
$abc = escapeshellarg("Amp^[dfdf&c4hcSdf/Z<dfdrV");
echo $abc; // output is Amp^[dfdf&c4hcSdf/Z
// Desired Output is Amp^[dfdf&c4hcSdf/Z<dfdrV
?>
Please help me to understand this
Thank You
The < is included, but your browser thinks it's part of an HTML tag, so hides it. Look at "View Source".
You need to escape it, so that it becomes < which will look like < when displayed in the browser.
You possibly realised this, but grabbed at the wrong function - escaping isn't something you can do "once and for all", it has to be specific to the context where you're using something. escapeshellarg is for escaping strings used in command-line ("shell") commands. The function for escaping for use in HTML is called htmlspecialchars.
Related
I want to display text on the page, the text should look like this:
<sometext> ... but when I echo this, nothing appears!!
How ca I do this?
A "page" is written in HTML, so < means "Start a tag".
You have to represent characters with special meaning in HTML using entities.
You can write them directly, or make use of the htmlspecialchars function.
echo "<sometext>";
echo htmlspecialchars("<sometext>");
You probably want <sometext>.
If that text is coming from user input, you should definitely use htmlspecialchars() on it, to help prevent XSS.
This is because the browser assumes it is an unknown tag. If you want the browser to show it, use:
echo '<sometext>';
or use the htmlentities function like so:
echo htmlentities('<sometext>');
You need to call htmlentities() to convert the HTML metacharacters into something that will display properly.
Do you have to escape or sanatise output that will be in a <textarea>?
It seems that if i sanatise it using htmlentities() the actual &...; character replacements come up
Well, you have to:
<?php
$content = "</textarea><script>alert('hi!')</script>";
?>
<textarea>
<?php echo $content; ?>
</textarea>
Yes, you need to sanitize. Use htmlspecialchars($str, ENT_QUOTES) instead.
If that output was initially provided by the user or any untrusted source (i.e. not directly from your code) then it needs to be sanitized to prevent against XSS attacks.
You need to consider whatever the output is editable by the user or not. If it not and it is a trusted output (maybe coming from pre defined texts that YOU wrote) you obviously don't. Otherwise yes. And the HTML chars replacement is quite normal but you don't have to worry because when the page is read and outputted to the user browser all the previous characters will still be there.
Notice that the > and < characters could be used, if not sanitize, to inject other HTML code and particular the <script> tag that can run Javascript.
Always escape all occurances of < and > (with < and >) within the textarea's content. Otherwise one could provide the following content (example) to "escape" the textarea and inject HTML code:
</textarea><script src="http://malicious.code.is/us.js"></script>
Otherwise this could result in the following code:
<textarea id="text"></textarea><script src="http://malicious.code.is/us.js"></script></textarea>
The second </textarea> at the end would be ignored and the script tag before would be executed.
Just using htmlspecialchars() is NOT enough. It still leaves you vulnerable to certain multibyte character attack vectors (even when using htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')
Perhaps look at a library like HTMLPurifier to give you a more complete solution.
Here is a pretty good summary of XSS protection in PHP.
http://www.bytetouch.com/blog/programming/protecting-php-scripts-from-cross-site-scripting-xss-attacks/
I want to display text on the page, the text should look like this:
<sometext> ... but when I echo this, nothing appears!!
How ca I do this?
A "page" is written in HTML, so < means "Start a tag".
You have to represent characters with special meaning in HTML using entities.
You can write them directly, or make use of the htmlspecialchars function.
echo "<sometext>";
echo htmlspecialchars("<sometext>");
You probably want <sometext>.
If that text is coming from user input, you should definitely use htmlspecialchars() on it, to help prevent XSS.
This is because the browser assumes it is an unknown tag. If you want the browser to show it, use:
echo '<sometext>';
or use the htmlentities function like so:
echo htmlentities('<sometext>');
You need to call htmlentities() to convert the HTML metacharacters into something that will display properly.
Why does this code
$string = "!##$%^&*(<a#g.com";
echo $string;
only output:
!##$%^&*(
Is this is a PHP bug?
Because < is a reserved character in in HTML :)
Use < and >
Read this for more information
http://www.w3schools.com/HTML/html_entities.asp
You can use the function htmlspecialchars to convert such special chars
http://php.net/manual/en/function.htmlspecialchars.php
I'm not seeing that:
http://ideone.com/zhycx
Perhaps you've got some weird characters in your file? Make sure you're using a "normal" encoding on your source code, as well.
You need to do:
echo htmlentities($string);
to display the string as it is on a browser. This is because the < in the string is interpreted by the browser as start of a HTML tag.
So it's not PHP but the browser that is causing this behavior. If you do the exact same display on a command line, you'll see all the characters.
If you are viewing the output in a web browser, then the < begins a tag and is usually not displayed but interpreted in the HTML document structure parser. Also, a $ inside of a double-quoted string is interpolated as the variable name that follows it; try using single quotes where this won't happen.
Try this:
$string = '!##$%^&*(<a#g.com';
echo htmlentities($string);
I have some php code in a database like so
$x = "<?php some code here ?>";
but I want to output that whole line to the browser without php evaluating it. Right now it is evaluating it unfortunately. I thought about escaping it but that didn't work. How might a person accomplish this?
Thanks
EDIT:
<?php
echo '<? hey ?>';
echo "<dog dog>";
?>
if I run that code the dog dog tag shows up in the browser source code where as <? hey ?> does not. It seems like it would still be evaluating it.
Edit, got the answer, thanks everyone.
Just do:
echo htmlspecialchars($x);
'Single quotes' tell PHP to interpert the string exactly as is. It will include all whitespace and characters exactly as is.
"Double Quotes" tell PHP to parse the string. This reduces whitespace, replaces variables, and parses any other magic string things.
Finally, `backticks` are used for shell commands.
If you are trying to display it in a browser exactly like that, you might want to try htmlentities($string).
Do you want it to appear like that? If so, you'll need to use < and > (strictly only the < is necessary) to encode the string.
use '(single quotes) instead of "(double quotes)
Ih PHP double quotes evaluate expressions, single quotes do not so:
$a = 123;
$b = "value of $a"; // value of 123
$c = 'value of $a'; // value of $a
The only problem with single quotes is they don't understand characters like \n for newlines (that will be printed as \n not a newline when put in single quotes).
So is all you need:
echo '<?php some code here ?>';
?
For more information see Strings in the PHP manual.
You're a bit unclear about what gets evaluated.
If you're talking about variables, there are plenty of correct answers here.
If you're talking about the <? ?> block, something's wrong. That string should not be evaluated if within a PHP block (If you mean the opening and closing PHP statements).
Maybe you are missing the opening and closing <? ?> before and after your operation?
If you're outputting php code you might even consider using highlight_string which will perform syntax highlighting on the input