I suddenly have this strange behavior in PHP. I looked around here but cannot find a reasonable explanation
I have an extremely simple example:
<?php
$test = 'hello123';
print $test;
?>
This shows: hello123null in the webbrowser.
When I echo instead of print the result, its the same.
When I put the string in double quotes also the same.
No matter what I do, it always appends the string 'null' to it.
What is happening here?
When serving web pages and mixing HTML and PHP there are scenarios where you can flush hidden characters.
How to troubleshoot:
Turn on show all characters in the IDE so you can see spaces, line breaks, etc.
Verify no other pages are executed after that script. Sometimes when flipping between HTML and PHP extra characters are injected in the view if you are not following best practices.
Put another print line after your print hello123, is it still after hello123 or your last command?
("hello123");
print("test");
Try obflush () to pin point issue:
see https://www.php.net/manual/en/function.ob-flush.php
print("hello123");
ob_flush();
flush();
print("test");
Lastly, try setting your header.
header( 'Content-type: text/html; charset=utf-8' );
Related
I save a php string as
$url = "http://example.com/index.php?q=board/ajax_call§ion=get_messages";
The url when printed to screen displays as
"http://example.com/index.php?q=board/ajax_call§ion=get_messages" as "§" gets auto converted to special char "§".
How can I prevent this so that I can call the correct URL using cURL .
Your Problem
The problem is that § is interpreted by the browser as the HTML entity for §.* So, §ion displays as §ion.
The Solution
If you're going to print the URL itself, you need to escape the & and turn it into &. You can do this automatically using htmlentities(). Sample code:
<?php
$url = "http://example.com/index.php?q=board/ajax_call§ion=get_messages";
echo "Without htmlentities(): " . $url . "\n";
// output: http://example.com/index.php?q=board/ajax_call§ion=get_messages
echo "With htmlentities(): " . htmlentities($url) . "\n";
// output: http://example.com/index.php?q=board/ajax_call§ion=get_messages
Here's a demo.
A Note About Security
Note that using htmlentities() here is a good idea for lots of other reasons. What if somebody used this URL?
http://example.com/index.php?q=board/ajax_call§ion=get_messages<script src="http://evilsite/evil.js></script>
If you just dumped it out onto the screen, you have just included an evil JavaScript. Congratulations! You just hacked your user and, probably, got your own site hacked. This is a real problem called XSS (Cross-Site Scripting). But if you call htmlentities() first, you get:
http://example.com/index.php?q=board/ajax_call§ion=get_messages<script src="http://evilsite/evil.js></script>
That's safe and won't actually run the evil script.
* Technically, the HTML entity is §, with the semicolon, but nearly all browsers with treat it as an HTML entity with or without the semicolon. See this answer for a good explanation.
Change the & to &.
(See w3c markup validator ampersand (&) error for a bit more information.)
I don't know exactly how to explain this but when I POST on my page or when I change a SESSION variable, sometime, not always, I will get half the html in plain text starting with a hexa code. I don't know what to do. Its always random, the hexa code is almost always different.
Exemple :
bc86
<div>something...</body></html>
If there was a problem of encoding which is mostly possible then you can try the following before producing some HTML/text to client:
header('Content-Type: text/html; charset=utf-8');
I am still struggling with this problem after about 2 weeks with no sign of a solution.
Any data that is returned by PHP using $.ajax or $.post always has two spaces added onto the returned data. I have trimmed the data being echoed in PHP to confirm it's not an issue with the server or my scripts.
e.g.
echo '{"id": "'.$myId.'"}';
Becomes:
' {"id": "'.$myId.'"}'
When viewing the returned data in inspector. This causes problems for my js scripts because they expect nothing returned when there is no error. Double space is returned which causes errors when there are actually none, which in turn stops other events from firing.
I am using Jquery 1.8.3.
Does anyone have any idea what is causing this extremely strange and annoying issue?
I am using NetBeans
I recall that this only started happening since I moved my app to a new server, but I don't see how that would have effected it in this way.
This may be helpful,
I think there is a whitespace in your script (may be from included files, but not sure). You can overcome this by clearing the output buffer, before you send the data to browser. The following code will demonstrate the idea.
<?php
ob_start();
echo ' '; // Possible whitespace (may be from included files)
----------
----------
if (YOUR_CHECK_FOR_AJAX_REQUEST) {
ob_end_clean();
$myId = 1;
echo '{"id": "'.$myId.'"}';
exit;
}
?>
There is chance that you've got whitespaces at the end of your included php files (to prevent it, skip ending ?> tag).
Also you should check if there is nothing in front of <?php and disable BOM in your UTF-8 files.
The data which is returned from the file would have spaces or you would have html tags. Remove all the tags, lines, spaces and at the end remove ?>
If you are returning data from test.php the file should look like as below
<?php
$myId = '1';
echo '{"id": "'.$myId.'"}';
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.