I have insert iframe value into my database using php. I need to display the inserted value in a textbox in another page. But while displaying the data it only displays the value till the first " in the iframe.
my code
<label>Location</label> <input type="text" style="resize:vertical" class="md-input" name="locationmap" class="md-input" value="<?php echo $comp_row['comp_locationmap']?>">
<i class="glyphicon glyphicon-pushpin form-control-feedback glyphiconalign"></i> </div>
The output textbox only displays "<iframe src= "
you need to escape the special characters!
you can do this by using htmlspecialchars() to convert only special characters to HTML entities
echo htmlspecialchars($comp_row['comp_locationmap']);
or htmlentities() to convert all characters to HTML entities
echo htmlentities($comp_row['comp_locationmap']);
Related
I'm trying to put a PHP variable in a button data attribute however weird characters are showing up instead of the punctuation. As an example instead of an apostrophe ' is showing up instead. The variable is normal everywhere else on the page. How can I fix this?
<button id="coolButton"data-name="<?PHP echo $name;?>"
You need an space between the final of id and the beginning of data-name
<button id="coolButton" data-name="<?PHP echo $name;?>"
You have the quotes at the wrong place
Instead of this:
<button id="coolButton"data-name="<?PHP echo $name;?>"
Try this:
<button id="coolButton" data-name="<?PHP echo $name; ?>">
You also didn't close the button tag, only the php part.
Sorry for my bad english
I am trying to allow users to edit their biography and on the page I want the editable text from the DB to appear in the text box. How do I do this? Currently I have the text as a placeholder, but I want to make that editable.
Also for other, shorter fields like a users company name, when I insert the value as the placeholder (I don't want it to be editable like the bio so it doesn't resubmit every time), it can't display more than one word. How can I fix this.
Note: I wrote a function that only displays a value from SQL if there is one, else it displays a generic text, i.e. "bio" or "email"
Here is my function where $content is something like $_POST["bio"] and
<?php
function echo_content($content,$name)
{
if(!empty($content)){
echo($content);
}
else{
echo($name);
}
}
?>
Below is my html/php where $content is a value from SQL.
<div class="form-group">
<legend>Bio: </legend><textarea rows="4" cols="50" class="form-control" name="bio"
placeholder=<?php echo_content($content[0]["bio"],"Bio");?> type="text"/></textarea>
</div>
You're dumping a string into an html attribute, WITHOUT quotes, so basically you're producing:
<textarea ... placeholder=Four Score and Seven Years ago type="text">
so your placeholder is Four, and then there's a bunch of unknown/illegal attributes, Score, and, Seven etc...
Try
<textarea ... placeholder="<?php echo htmlspecialchars($var) ?>" ...>
instead. note the " and use of htmlspecialchars() to quote out html metachars.
In other words, you're basically suffering from a self-inflicted HTML injection wound.
I've a column inside my table to put Html codes, I will use this table for email templating.
I have inside my page, all the templates inside my table, with two buttons, one to remove, and another one to edit.
The edit button shows the code inside a textbox, and to do the preview I did an echo to the code column.
<div class="tempcolumn">
<div><textarea name="ai" rows="15" cols="100" name="code" placeholder="Code">
<?php echo $get_temp; ?></textarea></div>
</div>
Preview
<div class="tempcolumn">
<p><?php echo $get_temp; ?></p>
<div></div>
</div>
To recognize the code and the id i created an hidden input
<input type="hidden" name="temp_id" value="'.$val['template_id'].'">
<input type="hidden" name="temp_code" value="'.$val['text'].'">
The script is working, but when i insert inside the code column some "<" or "=" doesn't work
Is inferfering because it reads the input value like this:
<input type="hidden" name="temp_id" value=" Value here + 'random character that closes the tag' ">
Is there a easier way to do that?
Thanks
You can try;
htmlspecialchars($value)
This will convert html characters to their non-interfering cousins.
See http://docs.php.net/manual/en/function.htmlspecialchars.php as I can't post the equivalents without them becoming characters.
I'm making a query to the database and am showing the value in input type text as follows:
<input type='text' name='title' value="<?php echo $noticia->_title; ?>" />
What happens is that if the text coming from the database comes within "" the text does not appear because the " " of value. If I switch to '' have the same problem if the text coming from the database is inside ''. How can I solve this problem?
value="<?php echo htmlspecialchars($noticia->_title) ?>"
htmlspecialchars() will encode any HTML metacharcters in there that would otherwise break your form, e.g.
$title = 'Hello "Joe"';
<input ... value="Hello "Joe"" />
^---breaks the form
becomes
$title = htmlspecialchars('Hello "Joe"');
<input ... value="Hello "Joe"" />
Convert text to HTML with htmlspecialchars.
echo htmlspecialchars($noticia->_title);
Hello i'm currently using a table to input values into a custom meta field. I have a text box called episode title. My problem here is that if the characters ' " are added in the field then everything goes in to chaos. I want to use the htmlspecialchars to input the values as " and ' instead of ' ". the below code does not work to covert the characters. Can anyone please help?
<p>
<input type="text" name="episode_title[]" id="episode_title[]" value="<?php echo ($_POST['episode_title']); ?>" class="title regular-text" style="width: 98%" />
<span class="description"><?php _e('Title of The Episode.'); ?></span>
</p>
add this to the htmlspecialchars call: ENT_QUOTES like so:
<?php echo htmlspecialchars($_POST['episode_title'], ENT_QUOTES); ?>
This will enable changing of both the " and the ' quotes
$_POST['episode_title'] is an array, so you need to get the right value from the array and use htmlspecialchars() on that value.
Something like:
value="<?php echo htmlspecialchars($_POST['episode_title'][$some_key]); ?>"
Edit: I am assuming that the $_POST array contains the results of the form when it is submitted.