Im using PHP to render a page. I have echo statements such as
echo "<input type=\"text\" name=\"numPlate\" id=\"numPlate\" onblur=\"caps(this.id);\" $focusPlate required value=\"" . isset($_POST['numPlate']) ? $_POST['numPlate'] : "" ."\">";
but the value is being output as plain text rather than in the input field. If i take the ternary out then the input field is being rendered, which tells me that causes the issue, but i really don't understand why. The problem is is that I have about 20 other fields on this page in a similar fashion, so it's not a very clean solution to evaluate each of these statements to a variable and have the respective variables input into the value property.
Are there any other ways I could achieve this? Thanks
Edit:
Rendered html:
<div class="row"><label for="plate">Rendszám*</label>GMS245</div>
As you can see the string is just a text.
I tested it out and I believe my second suggestion could solve it. Wrap the ternary in parenthesis. From my test, it was trying to evaluate the true response to the ternary instead of setting it as the value or ignoring it. I also replaced the inner quotes with a single quote to clean up the code while still allowing the variables to be evaluated.
echo "<input type='text' name='numPlate' id='numPlate onblur='caps(this.id);' $focusPlate required value='" . (isset($_POST['numPlate']) ? $_POST['numPlate'] : "") ."'>";
Related
This is weird! I have a form which gets info from a DB and then fills in a form with the details. I am trying to cater for cases where a person has a name like O'Neill. At the top of the page (outside the actual form itself) is a line that echoes the user's name to the screen:
<h2>Member Details for <?php echo $thefn; ?></h2>
And this does indeed display on the page properly, i.e., Member Details for Mike O'Neill
However, in the actual form, where the code runs:
<td><?php echo "<input type='text' name='fname' value='$thefn' size='30' maxlength='30'>"; ?></td>
The name is shown with everything after the apostrophe gone! The variable is the same, so what am I doing wrong? This has got me tearing my hair out (and there's a fair amount of that!)
Let's say I put in my name as:
' /><script type="text/javascript">alert("You've just been hacked!");</script><input type="hidden" name="lol" value='hax
Now what?
htmlspecialchars($thefn)
Should help.
Use double quotes " " in your HTML like so :
echo "<input type='text' name='fname' value=\"$thefn\" size='30' maxlength='30'>";
Note that you have to escape them with \ since you already use double quotes to delimit your string (in PHP). Another solution is to use single-quotes on the PHP side (echo ' ';) and use double quotes inside the string, so that you don't need escaping.
Also note that this code is vulnerable to XSS attacks, you can use htmlspecialchars() to prevent that, here's the corrected code (both the XSS and the quotes) :
echo '<input type="text" name="fname" value="'.htmlspecialchars($thefn).'" size="30" maxlength="30">';
Ignoring the obvious security red herring here (I assume the format of your $thefn variable is correct for going between single quotes in HTML), I would be wrapping the PHP variables inside of {} brackets, like so. This has two major advantages. One - it is easier to spot replaceable parts, plus, makes it crystal clear to PHP what part is dynamic. Two - you can use fancier variables, like arrays. {$my_array['my_key']}.
<td>
<?php
echo "<input type='text' name='fname' value='{$thefn}' size='30' maxlength='30'>";
?>
</td>
See also: PHP string parsing (in the manual)
I have a form with a url input that I need to prevent from converting, so that I can use $_GET on the target page. I have tried urlencode, urldecode, html_entity_decode, etc, but none of it prevents the html entity conversion (parse_url did nothing but get rid of all the important stuff). This is the only thread I have found that comes close to what I am trying to achieve.
It seems like there should be a simple solution, and this is not happening anywhere else I am using a url like this...
Thanks to anyone who can help!
echo "<option value='seeArtist.php?aid=".$row[0]."&ac=".$row[1]."&img=".$row[2]."'">
(blah, blah)
<input type="submit" style="margin-left:10px" name="submit" value="Go" />';
This is the result from clicking the submit button.
seeArtist.php?art_con=seeArtist.php%3Faid%3D18%26not%3Bac%3D+(aka)+Banksy%26not%3Bimg%3D0&submit=Go
Two variables are integers, so the database content is not url-encoded.
I suspect that since this is not happening anywhere else, and this is the only place where I am putting a link in a select option, that it has something to do with the submit action. In firebug the link shows up exactly the way it is supposed to. When I submit the url gets encoded.
Regardless of the PHP, your HTML is incorrect. You need to encode the ampersands. Your code should resemble this:
echo "<option value=\"seeArtist.php?aid=" . $row[0] . "&ac=" . $row[1] . "&img=" . $row[2] . "\">\r\n";
I also took the liberty of converting single-quotes to escaped double-quotes.
I'm a beginner PHP programmer, and I was wondering what was wrong with my code.
Here is the small excerpt from the affected spot:
echo "<form action='?tab=4' name='toedit5' method='get'><input value='text' onblur='edit('toedit5')' /></form>";
In Chrome's Developer Tools, the form element totally disappears, and the edit('toedit5') becomes edit(' toedit5').
The edit() function doesn't execute.
Is there anything wrong with this one line of code? Otherwise it is outside code messing with it. Sorry I didn't include it, but I don't know what to include. If you need more information, please tell me.
Thanks.
You need to escape your quotes inside your quoted echo'd statement, like this:
<?php
echo "<form action='?tab=4' name='toedit5' method='get'>";
echo "<input value='text' onblur='edit(\"toedit5\")' />"; // escaped..!
echo "</form>";
?>
It helped me to think about it like this when I was starting out: how does your browser know if the second single quote in onblur='edit('toedit5')' is closing your onblur statement or opening up the parameter? In this example, your browser will pair up the first 2 quotes it sees and assign that to the onblur attribute, i.e.: onblur='edit(' only!
Update 1:
Using the code above, I inspected a quick PHP page I created in Chrome's developer tools and was able to see the following (form available for inspection):
You really should use the more standard double quotes around the HTML properties and use single quotes around your string, with escaped single quotes within the javascript method calls. Like this:
echo '<form action="?tab=4" name="toedit5" method="get"><input value="text" onblur="edit(\'toedit5\')" /></form>';
I'm getting data into my database without any problem using mysql_real_escape_string.
So an entry in the database might be:
1/4" Steve's lugnuts
So that's perfectly in the database.
Now I want to search for that exact thing. But, it will mess up at either the " or the ' (I've tried a number of things, and it always messes up somewhere).
Here's what I have now:
(user_input comes from a form on the previous page)
$user_input=mysql_real_escape_string($_REQUEST['user_input']);
$search_row=mysql_query("SELECT * FROM some_table WHERE some_column LIKE '%$user_input%' ");
while($search = mysql_fetch_array($search_row))
{stuff happens}
echo "<form action='search_results.php' method='post'>";
echo "<input name='user_input' type='text' size='50' value='" . $user_input. "'>";
echo "<input type='submit' value='Lookup Parts' />";
echo "</form>";
But the problem is, I can't seem to get anything but errors.
The search field (which is supposed to populate with what they already put in) just has:
1/4\" Steve\
What am I doing wrong?
The search field (which is supposed to populate with what they already put in) just has 1/4\" Steve\
of course it has!
You misplaced your escaping.
mysql_real_escape_string is for SQL only! but you're using it's result for the html. While for the HTML you have to use completely different way of escaping.
So, make it
$user_input=mysql_real_escape_string($_REQUEST['user_input']);
$search_row=mysql_query("SELECT * FROM some_table WHERE some_column LIKE '%$user_input%' ");
while($search = mysql_fetch_array($search_row))
{stuff happens}
$user_input =htmlspecialchars($_REQUEST['user_input'],ENT_QUOTES); // here it goes
echo "<form action='search_results.php' method='post'>";
echo "<input name='user_input' type='text' size='50' value='$user_input'>";
echo "<input type='submit' value='Lookup Parts' />";
echo "</form>";
also note that there is no use in echoing such large chunks of HTML. Just close PHP tag and then write pure HTML:
?>
<form action='search_results.php' method='post'>
<input name='user_input' type='text' size='50' value='<?=$user_input?>'>
<input type='submit' value='Lookup Parts' />
</form>
Looks WAY more clear, readable and convenient
Well, your problem is proper quoting. Your problem is that you need different quoting for MySQL and for HTML, and you probably could also have magic_quotes_gpc set! When quoting, you always quote text for some particular output, like:
string value for mysql query
like expression for mysql query
html code
json
mysql regular expression
php regular expression
For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (assure it is switched off!!!).
So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
preg_quote()
EDIT: Regarding your original question - if you correct your quoting, you can then of course use any characters in the strings, including the single and double quotes.
Print your sentece "SELECT * FROM some_table WHERE some_column LIKE '%$user_input%' " to see what it is doing (and escaping).
Not a solution but take a look to mysqli or pdo (http://stackoverflow.com/questions/548986/mysql-vs-mysqli-in-php), they have utilities for prepared statements.
don't know if it helps for sure, but shouldn't you escape for the query and another time for the html?
$query = sprintf("SELECT * FROM some_table WHERE some_column LIKE '%s' ", mysql_real_escape_string($user_input));
echo "<input name='user_input' type='text' size='50' value='".htmlentities($user_input)."'>";
edit
you maybe don't want to change (escape) your input ($user_input) everytime you submit ..although if its only ' and " thats affected it might not matter anyway
I am having this error in my code..
echo "<input type='button' value='send mails' onclick=\"sendmails(".$sendQuestion.")\">";
i kind of feel stupid posting this question. But I am unable to figure out what's wrong in this code
This code is written in php. it works fine if I don't pass any arguments in the sendmails function, but when I pass argument it gives error as:
missing ) after argument list
sendmails(Type your Question here testin to post from chrome)
Add a quote around it:
echo "<input type='button' value='send mails' onclick=\"sendmails('".$sendQuestion."')\">";
Without the quotes, javascript misreads your string.
If you take a look at the generated HTML, it'll look something like this :
<input type='button' value='send mails' onclick="sendmails(Type your Question here testin to post from chrome)">
There are some quotes missing arround the string you're passing as parameter to the JS function sendmails
So, I'd say add some quotes arround it ; a bit like this :
echo "<input type='button' value='send mails' onclick=\"sendmails('".$sendQuestion."')\">";
EDIT : added more stuff...
But, if $sendQuestion contains quotes, it'll get you another error... So it might be usefull to
bad idea : either replace those ' with \' with something like str_replace
or "transform" the string to a valid-JS one, with, for instance, json_encode
The second solution will get you a PHP code like this one (note that json_encode adds double-quotes arround the string... so it becomes harder to embed directly in the function call... so let's use a variable) :
$sendQuestion = "Type your Question' here testin to post from chrome";
$json = json_encode($sendQuestion);
echo '<script type="text/javascript">' . "\n";
echo 'var myString = ' . $json . ';' . "\n";
echo '</script>' . "\n";
echo "<input type='button' value='send mails' onclick=\"sendmails(myString)\">";
And the generated HTML will be :
<script type="text/javascript">
var myString = "Type your Question' here testin to post from chrome";
</script>
<input type='button' value='send mails' onclick="sendmails(myString)">
Which is much more nice :-)
Maybe not perfect yet... But, by now, I think you get the point ;-)
As a sidenote : json_encode only exists since PHP 5.2... so you might want to check the version of PHP you are using...
The first thing you are doing wrong is posting some PHP code when the error is being reported by your JavaScript engine.
To debug it, the JavaScript is important. We can guess what the JS might look like, but it is much easier if we can see the JS to start with.
In this case, the most probable explanation is that you want to write some JS that has a string literal in it — but you aren't surrounding the JS argument with quote marks.
Think of PHP as a templating engine. Try this:
?>
<input
type="button"
value="Send mails"
onClick="sendmails('<?php echo $sendQuestion; ?>');">
<?php